Username: Save?
Password:
Home Forum Links Search Login Register*
    News: Welcome to the TechnoWorldInc! Community!
Recent Updates
[October 17, 2024, 05:05:06 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[September 09, 2024, 12:27:25 PM]

[September 09, 2024, 12:27:25 PM]

[September 09, 2024, 12:27:25 PM]

[September 09, 2024, 12:27:25 PM]

[August 10, 2024, 12:34:30 PM]

[August 10, 2024, 12:34:30 PM]

[August 10, 2024, 12:34:30 PM]

[August 10, 2024, 12:34:30 PM]
Subscriptions
Get Latest Tech Updates For Free!
Resources
   Travelikers
   Funistan
   PrettyGalz
   Techlap
   FreeThemes
   Videsta
   Glamistan
   BachatMela
   GlamGalz
   Techzug
   Vidsage
   Funzug
   WorldHostInc
   Funfani
   FilmyMama
   Uploaded.Tech
   MegaPixelShop
   Netens
   Funotic
   FreeJobsInc
   FilesPark
Participate in the fastest growing Technical Encyclopedia! This website is 100% Free. Please register or login using the login box above if you have already registered. You will need to be logged in to reply, make new topics and to access all the areas. Registration is free! Click Here To Register.
+ Techno World Inc - The Best Technical Encyclopedia Online! » Forum » THE TECHNO CLUB [ TECHNOWORLDINC.COM ] » Techno Articles » Internet
 Cisco Certification: Configuring CHAP on ISDN
Pages: [1]   Go Down
  Print  
Author Topic: Cisco Certification: Configuring CHAP on ISDN  (Read 530 times)
Shawn Tracer
TWI Hero
**********


Karma: 2
Offline Offline

Posts: 16072


View Profile
Cisco Certification: Configuring CHAP on ISDN
« Posted: February 25, 2008, 12:42:19 PM »


Cisco Certification: Configuring CHAP on ISDN
 by: Chris Bryant, CCIE #12933

Introduction To ISDN, Part IV: Configuring PPP CHAP Authentication

In part III of this ISDN tutorial, we learned that PPP has two main methods of authentication that Cisco certification candidates need to know how to configure: PAP and CHAP.

PAP has very few advantages over CHAP. PAP passwords are carried over the line in clear text, which in today’s world is a very bad idea. PAP configuration also requires additional configuration with the “ppp pap sent-username” command, so anyone who can see your running configuration can also see the PAP password.

The only advantage PAP has over CHAP is a slim one. With PAP, a different password can be used by the each of the routers involved in the authentication. CHAP requires that the password be the same. Why? We’ll see as we examine CHAP authentication.

The First Step to Configuring CHAP

CHAP requires you to configure a username / password combination for any remote device that will be involved in authentication. (We’re assuming that the routers have already been configured with their names via the global hostname command.) Both routers will use the password CISCO.

R1:

username R3 password CISCO

int bri0
    encapsulation ppp
    ppp authentication chap

R3:

username R1 password CISCO

int bri0
     encapsulation ppp
     ppp authentication chap


Why CHAP Authentication Requires The Same Password On Both Routers

Remember how PAP sends the password over the line in clear-text? CHAP does not actually send the password over the line at all. Instead, CHAP runs a hash algorithm using the password and a random number. It is the result of this hash that is passed over the link. The remote router receives the hash result, and runs the exact same algorithm. If the result is the same, the authentication attempt will be successful. If the result is different, the authentication will fail. For this reason, the passwords must be the same.

The random number is just that – random. It cannot be configured at the command-line interface.

Note that there is no “sent-password” command, as we had to use with PAP.

Debug The Connection If Authentication Fails

Since two passwords are involved, the chances of one of the passwords being mistyped doubles. If you configure CHAP and the link dials but drops almost immediately, there’s an authentication problem. Run debug ppp negotiation and attempt to dial the line again. The output of this particular debug will show you where the problem is.

Here, we’ll run debug ppp negotiation to see what a successful CHAP authentication looks like:

Examining the CHAP authentication process with “debug ppp negotiation”.

R3#debug ppp negotiation
PPP protocol negotiation debugging is on
R3#ping 172.12.21.1

BR0:1 PPP: Phase is AUTHENTICATING, by both

BR0:1 CHAP: O CHALLENGE id 1 len 23 from "R3"

BR0:1 CHAP: I CHALLENGE id 1 len 23 from "R1"

BR0:1 CHAP: O RESPONSE id 1 len 23 from "R3"

BR0:1 CHAP: I SUCCESS id 1 len 4

BR0:1 CHAP: I RESPONSE id 1 len 23 from "R1"

BR0:1 CHAP: O SUCCESS id 1 len 4

The output of debug ppp negotiation with CHAP is different that the output of the same command when PAP is run. Remember that CHAP stands for Challenge Handshake Authentication Protocol, and by running this vital debug, you can see the challenges being made, responded to, and the success or failure of the negotiation.

Another important ISDN command, show dialer, tells us that the ISDN link is up, what the source and destination packet was that brought it up (“interesting traffic”), the time until disconnect, and what phone number it’s connected to.

It’s important to remember that while by default, any traffic can cross the link once it’s up, only interesting traffic resets the idle-timer.

In the next section of my ISDN tutorial, we’ll look at some common ISDN configuration problems, how to debug them, and how to solve them.

To your success,

Chris Bryant
CCIE #12933

About The Author

Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage. The Bryant Advantage's website offers FREE ebooks and tutorials for the CCNA and CCNP exams, FREE subscriptions to "Cisco Certification Central", and sells the best CCNA and CCNP prep courses and books on the market today. Visit his site at www.thebryantadvantage.com today!

[email protected]

Logged

Pages: [1]   Go Up
  Print  
 
Jump to:  

Copyright © 2006-2023 TechnoWorldInc.com. All Rights Reserved. Privacy Policy | Disclaimer
Page created in 0.147 seconds with 24 queries.