1 2 Previous Next 19 Replies Latest reply: Mar 18, 2012 2:00 PM by Paul Stewart - CCIE Security RSS

    PPP working?

    prithivi

      Hi,

       

      I have configured 2 routers with PPP as below:

       

       

      Router0:

      hostname R1

      !

      !

      username R2 password 0 vivek

      !

      !

      !

      interface Serial0/0

      ip address 6.0.0.1 255.0.0.0

      encapsulation ppp

      ppp authentication chap

      clock rate 56000

      ------------------------------------------------------

      Router1:

      hostname R2

      !

      !

      username R1 password 0 vivek

      !

      !

      !

      interface Serial0/0

      ip address 6.0.0.2 255.0.0.0

      encapsulation ppp

       

      question: I haven't authenticated ppp with chap on router1 but still both routers are able to ping each other. is this normal ?

       

      attahed the ptt fie too.

       

      thanks in advance

      prithivi

        • 1. Re: PPP working?
          Elvin Arias

          No, is not normal. On real gear those routers will not be able to communicate with each other in this case.

           

          Elvin

          • 2. Re: PPP working?
            prithivi

            thanks Elvin, did you happen to look at the ptt file.

            so there must be some problem with packet tracer, but as per theory it should not communicate, right?

            • 3. Re: PPP working?
              Elvin Arias

              No, i haven't look at the PKT files, i don't have Packet Tracert installed. Packet Tracert is wrong in this case, but you have to be careful because some configurations could work very well in Packet Tracert, but not in real gear as you might expect.

               

              Elvin

              • 4. Re: PPP working?
                just plain old Kev

                That is normal, PPP chap will not invoke the challange handshake unless you put ppp auth chap on both interfaces.

                 

                Run a debug from R1# or R2#  for ppp auth chap and you will see it does not even try to authenticate.

                 

                Put ppp authentication chap on the serial interface that does not have it and you will see the challange handshake.

                 

                Its not just PT, I just tried this out on GNS3.

                 

                Kevin

                • 5. Re: PPP working?
                  Paul Stewart  -  CCIE Security

                  Actually, my recollection was that this would probably work with CHAP, but not PAP. I labbed it in GNS3 and confirmed my recollection with CHAP. With CHAP, the authenticating router sends a challenge to the other end. If you only enable authentication on one end as in this example, it will work provided the password matches. In this case R0 asks R1 for credentials. R1 doesn't check the validity of R0. If CHAP authentication is enabled on both ends, each RTR verifies the other end. It might work differently for CHAP.

                  • 6. Re: PPP working?
                    just plain old Kev

                    when one side has both encap ppp and the ppp auth. cap. set and the other has only ppp encap set, this is the debug output that comes up as soon as you set the other side to ppp encap...

                     

                    R1#

                    00:03:05: Se0/0 PPP: Authorization NOT required

                    00:03:05: Se0/0 CHAP: O CHALLENGE id 3 len 23 from "R1"

                    R1#

                    00:03:09: Se0/0 PPP: Authorization NOT required

                    00:03:09: Se0/0 CHAP: O CHALLENGE id 4 len 23 from "R1"

                    R1#

                    00:03:11: Se0/0 PPP: Authorization NOT required

                    00:03:11: Se0/0 CHAP: O CHALLENGE id 5 len 23 from "R1"

                    R1#

                    00:03:14: Se0/0 PPP: Authorization NOT required

                    00:03:14: Se0/0 CHAP: O CHALLENGE id 6 len 23 from "R1"

                    R1#

                    • 7. Re: PPP working?
                      Paul Stewart  -  CCIE Security

                      I'm using R1 and R2 instead of R0 and R1.

                       

                      Here's what I get on the end with authentication enabled--

                       

                      R1(config-if)#

                      *Mar  1 00:06:32.875: Se0/0 PPP: Authorization required

                      *Mar  1 00:06:32.891: Se0/0 CHAP: O CHALLENGE id 36 len 23 from "R1"

                      *Mar  1 00:06:32.899: Se0/0 CHAP: I RESPONSE id 36 len 23 from "R2"

                      *Mar  1 00:06:32.899: Se0/0 PPP: Sent CHAP LOGIN Request

                      *Mar  1 00:06:32.903: Se0/0 PPP: Received LOGIN Response PASS

                      *Mar  1 00:06:32.903: Se0/0 PPP: Sent LCP AUTHOR Request

                      *Mar  1 00:06:32.903: Se0/0 LCP: Received AAA AUTHOR Response PASS

                      *Mar  1 00:06:32.903: Se0/0 CHAP: O SUCCESS id 36 len 4

                      *Mar  1 00:06:32.903: Se0/0 PPP: Sent CDPCP AUTHOR Request

                      *Mar  1 00:06:32.907: Se0/0 CDPCP: Received AAA AUTHOR Response PASS

                       

                      And here is what I get on the one without authentication enabled.

                       

                      *Mar  1 00:06:32.331: Se0/0 PPP: Using default call direction

                      *Mar  1 00:06:32.335: Se0/0 PPP: Treating connection as a dedicated line

                      *Mar  1 00:06:32.335: Se0/0 PPP: Session handle[A6000005] Session id[0]

                      *Mar  1 00:06:32.335: Se0/0 PPP: Authorization required

                      *Mar  1 00:06:32.351: Se0/0 PPP: No authorization without authentication

                      *Mar  1 00:06:32.355: Se0/0 CHAP: I CHALLENGE id 36 len 23 from "R1"

                      *Mar  1 00:06:32.355: Se0/0 CHAP: Using hostname from unknown source

                      *Mar  1 00:06:32.355: Se0/0 CHAP: Using password from AAA

                      *Mar  1 00:06:32.355: Se0/0 CHAP: O RESPONSE id 36 len 23 from "R2"

                      *Mar  1 00:06:32.359: Se0/0 CHAP: I SUCCESS id 36 len 4

                      • 8. Re: PPP working?
                        just plain old Kev

                        Yeah, I get the same output also --

                         

                        I was only able to see that output I got when I first physically configured the second router with encapsulation only (no auth.) and debug was running ...seems to only come up then and never come back after that...(and the other side already ppp encap and ppp authen chap)

                        • 9. Re: PPP working?
                          just plain old Kev

                          so the way Im looking at it is that with one side lacking the auth command (but set to ppp encap), the router goes through some motions that look like chap challange handshake, but lets the communication happen since the other side is not configured to authenticate.

                          • 10. Re: PPP working?
                            just plain old Kev

                            im getting various results now, so please consider my posts as tentative...

                             

                            in between GNS crashing, Im seeing some interesting stuff.

                            • 11. Re: PPP working?
                              just plain old Kev

                              Ok, so my experiment is over.  Tried both the 2600 and 3700 (advsec12.4-15T1) in gns and the results are the same.  You can ping through to the far side of ppp even if authentication is left off of one side...you just have to have encap ppp on both ends.

                               

                              The tricky part of this is interpreting the authentication debugs.

                               

                              Bye. 

                              • 12. Re: PPP working?
                                Paul Stewart  -  CCIE Security

                                If you go to the router that is NOT configured with "ppp authenticate chap", and remove the username, it should fail. This experiment is only require authentication in one direction. So it is still authenticating, it just isn't mutually authenticating in both directions.

                                • 13. Re: PPP working?
                                  just plain old Kev

                                  yep...it all comes back now...one way and two way...very good.

                                   

                                  thanks,

                                  • 14. Re: PPP working?
                                    prithivi

                                    thank you daze, so this working is normal? is it the same way in real routers too?

                                     

                                    why the router with 'chap authentication' is not asking the other router for the same chap authentication, actually it should, right? please correct me if I am wrong here, because I understood it this way.

                                    1 2 Previous Next