Skip navigation
Cisco Learning Home > Connections > Cisco Learning Labs > Discussions
2815 Views 19 Replies Latest reply: Mar 18, 2012 2:00 PM by Paul Stewart - CCIE Security, CCSI RSS 1 2 Previous Next

Currently Being Moderated

PPP working?

Mar 17, 2012 2:23 PM

prithivi 46 posts since
Jun 20, 2010

Hi,

 

I have configured 2 routers with PPP as below:

 

 

Router0:

hostname R1

!

!

username R2 password 0 vivek

!

!

!

interface Serial0/0

ip address 6.0.0.1 255.0.0.0

encapsulation ppp

ppp authentication chap

clock rate 56000

------------------------------------------------------

Router1:

hostname R2

!

!

username R1 password 0 vivek

!

!

!

interface Serial0/0

ip address 6.0.0.2 255.0.0.0

encapsulation ppp

 

question: I haven't authenticated ppp with chap on router1 but still both routers are able to ping each other. is this normal ?

 

attahed the ptt fie too.

 

thanks in advance

prithivi

Attachments:
  • Elvin Arias 1,833 posts since
    Mar 12, 2010
    Currently Being Moderated
    1. Mar 17, 2012 2:24 PM (in response to prithivi)
    Re: PPP working?

    No, is not normal. On real gear those routers will not be able to communicate with each other in this case.

     

    Elvin

  • Elvin Arias 1,833 posts since
    Mar 12, 2010
    Currently Being Moderated
    3. Mar 17, 2012 3:20 PM (in response to prithivi)
    Re: PPP working?

    No, i haven't look at the PKT files, i don't have Packet Tracert installed. Packet Tracert is wrong in this case, but you have to be careful because some configurations could work very well in Packet Tracert, but not in real gear as you might expect.

     

    Elvin

  • Currently Being Moderated
    4. Mar 17, 2012 4:25 PM (in response to prithivi)
    Re: PPP working?

    That is normal, PPP chap will not invoke the challange handshake unless you put ppp auth chap on both interfaces.

     

    Run a debug from R1# or R2#  for ppp auth chap and you will see it does not even try to authenticate.

     

    Put ppp authentication chap on the serial interface that does not have it and you will see the challange handshake.

     

    Its not just PT, I just tried this out on GNS3.

     

    Kevin

  • Paul Stewart  -  CCIE Security, CCSI 6,956 posts since
    Jul 18, 2008
    Currently Being Moderated
    5. Mar 17, 2012 4:33 PM (in response to prithivi)
    Re: PPP working?

    Actually, my recollection was that this would probably work with CHAP, but not PAP. I labbed it in GNS3 and confirmed my recollection with CHAP. With CHAP, the authenticating router sends a challenge to the other end. If you only enable authentication on one end as in this example, it will work provided the password matches. In this case R0 asks R1 for credentials. R1 doesn't check the validity of R0. If CHAP authentication is enabled on both ends, each RTR verifies the other end. It might work differently for CHAP.

  • Currently Being Moderated
    Re: PPP working?

    when one side has both encap ppp and the ppp auth. cap. set and the other has only ppp encap set, this is the debug output that comes up as soon as you set the other side to ppp encap...

     

    R1#

    00:03:05: Se0/0 PPP: Authorization NOT required

    00:03:05: Se0/0 CHAP: O CHALLENGE id 3 len 23 from "R1"

    R1#

    00:03:09: Se0/0 PPP: Authorization NOT required

    00:03:09: Se0/0 CHAP: O CHALLENGE id 4 len 23 from "R1"

    R1#

    00:03:11: Se0/0 PPP: Authorization NOT required

    00:03:11: Se0/0 CHAP: O CHALLENGE id 5 len 23 from "R1"

    R1#

    00:03:14: Se0/0 PPP: Authorization NOT required

    00:03:14: Se0/0 CHAP: O CHALLENGE id 6 len 23 from "R1"

    R1#

  • Paul Stewart  -  CCIE Security, CCSI 6,956 posts since
    Jul 18, 2008
    Currently Being Moderated
    7. Mar 17, 2012 5:02 PM (in response to just plain old Kev)
    Re: PPP working?

    I'm using R1 and R2 instead of R0 and R1.

     

    Here's what I get on the end with authentication enabled--

     

    R1(config-if)#

    *Mar  1 00:06:32.875: Se0/0 PPP: Authorization required

    *Mar  1 00:06:32.891: Se0/0 CHAP: O CHALLENGE id 36 len 23 from "R1"

    *Mar  1 00:06:32.899: Se0/0 CHAP: I RESPONSE id 36 len 23 from "R2"

    *Mar  1 00:06:32.899: Se0/0 PPP: Sent CHAP LOGIN Request

    *Mar  1 00:06:32.903: Se0/0 PPP: Received LOGIN Response PASS

    *Mar  1 00:06:32.903: Se0/0 PPP: Sent LCP AUTHOR Request

    *Mar  1 00:06:32.903: Se0/0 LCP: Received AAA AUTHOR Response PASS

    *Mar  1 00:06:32.903: Se0/0 CHAP: O SUCCESS id 36 len 4

    *Mar  1 00:06:32.903: Se0/0 PPP: Sent CDPCP AUTHOR Request

    *Mar  1 00:06:32.907: Se0/0 CDPCP: Received AAA AUTHOR Response PASS

     

    And here is what I get on the one without authentication enabled.

     

    *Mar  1 00:06:32.331: Se0/0 PPP: Using default call direction

    *Mar  1 00:06:32.335: Se0/0 PPP: Treating connection as a dedicated line

    *Mar  1 00:06:32.335: Se0/0 PPP: Session handle[A6000005] Session id[0]

    *Mar  1 00:06:32.335: Se0/0 PPP: Authorization required

    *Mar  1 00:06:32.351: Se0/0 PPP: No authorization without authentication

    *Mar  1 00:06:32.355: Se0/0 CHAP: I CHALLENGE id 36 len 23 from "R1"

    *Mar  1 00:06:32.355: Se0/0 CHAP: Using hostname from unknown source

    *Mar  1 00:06:32.355: Se0/0 CHAP: Using password from AAA

    *Mar  1 00:06:32.355: Se0/0 CHAP: O RESPONSE id 36 len 23 from "R2"

    *Mar  1 00:06:32.359: Se0/0 CHAP: I SUCCESS id 36 len 4

  • Currently Being Moderated
    Re: PPP working?

    Yeah, I get the same output also --

     

    I was only able to see that output I got when I first physically configured the second router with encapsulation only (no auth.) and debug was running ...seems to only come up then and never come back after that...(and the other side already ppp encap and ppp authen chap)

  • Currently Being Moderated
    9. Mar 17, 2012 5:21 PM (in response to just plain old Kev)
    Re: PPP working?

    so the way Im looking at it is that with one side lacking the auth command (but set to ppp encap), the router goes through some motions that look like chap challange handshake, but lets the communication happen since the other side is not configured to authenticate.

  • Currently Being Moderated
    10. Mar 17, 2012 5:41 PM (in response to just plain old Kev)
    Re: PPP working?

    im getting various results now, so please consider my posts as tentative...

     

    in between GNS crashing, Im seeing some interesting stuff.

  • Currently Being Moderated
    11. Mar 17, 2012 6:35 PM (in response to just plain old Kev)
    Re: PPP working?

    Ok, so my experiment is over.  Tried both the 2600 and 3700 (advsec12.4-15T1) in gns and the results are the same.  You can ping through to the far side of ppp even if authentication is left off of one side...you just have to have encap ppp on both ends.

     

    The tricky part of this is interpreting the authentication debugs.

     

    Bye. 

  • Paul Stewart  -  CCIE Security, CCSI 6,956 posts since
    Jul 18, 2008
    Currently Being Moderated
    12. Mar 17, 2012 7:17 PM (in response to just plain old Kev)
    Re: PPP working?

    If you go to the router that is NOT configured with "ppp authenticate chap", and remove the username, it should fail. This experiment is only require authentication in one direction. So it is still authenticating, it just isn't mutually authenticating in both directions.

  • Currently Being Moderated
    Re: PPP working?

    yep...it all comes back now...one way and two way...very good.

     

    thanks,

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)