I have configured 2 routers with PPP as below:
username R2 password 0 vivek
ip address 126.96.36.199 255.0.0.0
ppp authentication chap
clock rate 56000
username R1 password 0 vivek
ip address 188.8.131.52 255.0.0.0
question: I haven't authenticated ppp with chap on router1 but still both routers are able to ping each other. is this normal ?
attahed the ptt fie too.
thanks in advance
No, i haven't look at the PKT files, i don't have Packet Tracert installed. Packet Tracert is wrong in this case, but you have to be careful because some configurations could work very well in Packet Tracert, but not in real gear as you might expect.
That is normal, PPP chap will not invoke the challange handshake unless you put ppp auth chap on both interfaces.
Run a debug from R1# or R2# for ppp auth chap and you will see it does not even try to authenticate.
Put ppp authentication chap on the serial interface that does not have it and you will see the challange handshake.
Its not just PT, I just tried this out on GNS3.
Actually, my recollection was that this would probably work with CHAP, but not PAP. I labbed it in GNS3 and confirmed my recollection with CHAP. With CHAP, the authenticating router sends a challenge to the other end. If you only enable authentication on one end as in this example, it will work provided the password matches. In this case R0 asks R1 for credentials. R1 doesn't check the validity of R0. If CHAP authentication is enabled on both ends, each RTR verifies the other end. It might work differently for CHAP.
when one side has both encap ppp and the ppp auth. cap. set and the other has only ppp encap set, this is the debug output that comes up as soon as you set the other side to ppp encap...
00:03:05: Se0/0 PPP: Authorization NOT required
00:03:05: Se0/0 CHAP: O CHALLENGE id 3 len 23 from "R1"
00:03:09: Se0/0 PPP: Authorization NOT required
00:03:09: Se0/0 CHAP: O CHALLENGE id 4 len 23 from "R1"
00:03:11: Se0/0 PPP: Authorization NOT required
00:03:11: Se0/0 CHAP: O CHALLENGE id 5 len 23 from "R1"
00:03:14: Se0/0 PPP: Authorization NOT required
00:03:14: Se0/0 CHAP: O CHALLENGE id 6 len 23 from "R1"
I'm using R1 and R2 instead of R0 and R1.
Here's what I get on the end with authentication enabled--
*Mar 1 00:06:32.875: Se0/0 PPP: Authorization required
*Mar 1 00:06:32.891: Se0/0 CHAP: O CHALLENGE id 36 len 23 from "R1"
*Mar 1 00:06:32.899: Se0/0 CHAP: I RESPONSE id 36 len 23 from "R2"
*Mar 1 00:06:32.899: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar 1 00:06:32.903: Se0/0 PPP: Received LOGIN Response PASS
*Mar 1 00:06:32.903: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar 1 00:06:32.903: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:06:32.903: Se0/0 CHAP: O SUCCESS id 36 len 4
*Mar 1 00:06:32.903: Se0/0 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:06:32.907: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
And here is what I get on the one without authentication enabled.
*Mar 1 00:06:32.331: Se0/0 PPP: Using default call direction
*Mar 1 00:06:32.335: Se0/0 PPP: Treating connection as a dedicated line
*Mar 1 00:06:32.335: Se0/0 PPP: Session handle[A6000005] Session id
*Mar 1 00:06:32.335: Se0/0 PPP: Authorization required
*Mar 1 00:06:32.351: Se0/0 PPP: No authorization without authentication
*Mar 1 00:06:32.355: Se0/0 CHAP: I CHALLENGE id 36 len 23 from "R1"
*Mar 1 00:06:32.355: Se0/0 CHAP: Using hostname from unknown source
*Mar 1 00:06:32.355: Se0/0 CHAP: Using password from AAA
*Mar 1 00:06:32.355: Se0/0 CHAP: O RESPONSE id 36 len 23 from "R2"
*Mar 1 00:06:32.359: Se0/0 CHAP: I SUCCESS id 36 len 4
Yeah, I get the same output also --
I was only able to see that output I got when I first physically configured the second router with encapsulation only (no auth.) and debug was running ...seems to only come up then and never come back after that...(and the other side already ppp encap and ppp authen chap)
so the way Im looking at it is that with one side lacking the auth command (but set to ppp encap), the router goes through some motions that look like chap challange handshake, but lets the communication happen since the other side is not configured to authenticate.
Ok, so my experiment is over. Tried both the 2600 and 3700 (advsec12.4-15T1) in gns and the results are the same. You can ping through to the far side of ppp even if authentication is left off of one side...you just have to have encap ppp on both ends.
The tricky part of this is interpreting the authentication debugs.
If you go to the router that is NOT configured with "ppp authenticate chap", and remove the username, it should fail. This experiment is only require authentication in one direction. So it is still authenticating, it just isn't mutually authenticating in both directions.
thank you daze, so this working is normal? is it the same way in real routers too?
why the router with 'chap authentication' is not asking the other router for the same chap authentication, actually it should, right? please correct me if I am wrong here, because I understood it this way.