From: Shaun Nicholson (Shaun.Nicholson@xxxxxx)
Date: Wed Jan 03 2001 - 17:41:37 GMT-3
Ok the router 3 should not challenge means tthey want you to use ppp callin.
That means only one side challanges for authentication.
The configs I sent you will do that.
However I do not understan the bit about r5 using user9 as his chao name if r3
does not challange what does it mater what his hostname is??
Are you sure that r3 should not use user9 as his hostname?? now that would make
sense.
Or have I got it wrong
Shaun
kingmi1@yahoo.com on 01/03/2001 03:24:00 PM
To: Shaun Nicholson
cc:
Subject: RE: ISDN and CHAP
Shaun,
The problem states:
Only Router R5 should call
Router R5 should use "user9" as his chap name
Router R3 should not challenge
I have decided to you dialer interfaces. You do not
have to do that. I just find it easier. The below
config works. At least I can ping from R5 to R3. I'm
not sure, however, if R3 is not challenging. I don't
think it is because I don't have "ppp authentication
chap" on R3. Also, you mentioned the "ppp
authentication chap callin" command. I'm not sure if
I need that or not. Like I said though, my config is
working. Just not sure if it's what Cisco is looking
for.
Router R3
username user9 password 0 cisco
dialer-list 1 protocol ip permit
interface BRI0
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 0835866101 8358661
isdn spid2 0835866301 8358663
!
interface Dialer1
ip address 135.9.15.2 255.255.255.252
encapsulation ppp
dialer remote-name user9
dialer pool 1
dialer-group 1
ppp chap refuse callin
Router R5
username R3 password 0 cisco
dialer-list 1 protocol ip permit
interface BRI0
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 0835866201 8358662
isdn spid2 0835866401 8358664
ppp authentication chap
!
interface Dialer1
ip address 135.9.15.1 255.255.255.252
encapsulation ppp
dialer remote-name R3
dialer string 8358661
dialer pool 1
dialer-group 1
ppp authentication chap
ppp chap hostname user9
--- Shaun Nicholson <Shaun.Nicholson@kp.org> wrote:
> OK I've lost the original email but I had a play
> with what your trying to do and found some issues
> myself.
>
> First of all what are you trying to do.
> Why do i ask
> Well if your trying to authenticat on one side only
> then you would use the command ppp authentication
> chap callin. That would cause only one side to
> challenge for a password. Now with Chap and correct
> me if I'm wrong both sides have to be running chap I
> dont think you can disable it on one side, But the
> above command will disable the challange on one
> side. Is this what you were trying to do????
>
> Secondly the hostname bit
>
> Now on r2 I changes the hostname to test as you can
> see from my configs.
>
> I could however not get it to work by putting the
> ppp chap hostname on r1 which I think is something
> to do with the callin option.
>
>
> Does this help???
> if not post your email again as I've deleted it by
> mistake.
>
> Thanks
> Shaun
>
> r2#sh run
> !
> hostname r2
> !
> username r1 password 0 cisco
> username r2 password 0 cisco
> isdn switch-type basic-ni
> !
> interface Loopback0
> ip address 2.2.2.2 255.255.255.0
> no ip directed-broadcast
> ip ospf network point-to-point
> !
> interface BRI0
> ip address 148.100.10.2 255.255.255.0
> no ip directed-broadcast
> encapsulation ppp
> dialer idle-timeout 60
> dialer map ip 148.100.10.1 name r1 broadcast
> dialer-group 1
> isdn switch-type basic-ni
> isdn spid1 30162572320101
> isdn spid2 30162572330101
> ppp authentication chap
> ppp chap hostname test
> !
> router ospf 8
> network 2.2.2.2 0.0.0.0 area 2
> network 148.100.10.0 0.0.0.255 area 12
> network 150.100.1.0 0.0.0.255 area 0
> network 150.100.20.0 0.0.0.255 area 2
> !
>
>
>
> r1#
>
> hostname r1
> !
> username r1 password 0 cisco
> username r2 password 0 cisco
> username test password 0 cisco
> isdn switch-type basic-ni
> !
> interface Loopback0
> ip address 1.1.1.1 255.255.255.0
> no ip directed-broadcast
> ip ospf network point-to-point
> !
> interface BRI0
> ip address 148.100.10.1 255.255.255.0
> no ip directed-broadcast
> encapsulation ppp
> ip ospf demand-circuit
> dialer idle-timeout 60
> dialer map ip 148.100.10.2 name r2 broadcast
> 3016257232
> dialer-group 1
> isdn switch-type basic-ni
> isdn spid1 30162572300101
> isdn spid2 30162572310101
> no peer neighbor-route
> ppp authentication chap callin
> !
> router ospf 8
> redistribute rip metric 30 metric-type 1 subnets
> network 1.1.1.1 0.0.0.0 area 1
> network 148.100.10.0 0.0.0.255 area 12
> network 150.100.1.0 0.0.0.255 area 0
> network 150.100.10.0 0.0.0.255 area 1
> !
>
> Here is the output of the negotion as you can see
> the peer authenticates not both
>
> r1#ping 148.100.10.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 148.100.10.2,
> timeout is 2 seconds:
> .!!!!
> Success rate is 80 percent (4/5), round-trip
> min/avg/max = 44/63/116 ms
> r1#
> 03:11:54: %LINK-3-UPDOWN: Interface BRI0:1, changed
> state to up
> 03:11:54: %ISDN-6-CONNECT: Interface BRI0:1 is now
> connected to 3016257232
> 03:11:54: BR0:1 PPP: Treating connection as a
> callout
> 03:11:54: BR0:1 PPP: Phase is ESTABLISHING, Active
> Open
> 03:11:54: BR0:1 PPP: No remote authentication for
> call-out
> 03:11:54: BR0:1 LCP: O CONFREQ [Closed] id 48 len 10
> 03:11:54: BR0:1 LCP: MagicNumber 0x00BBF45B
> (0x050600BBF45B)
> 03:11:54: BR0:1 LCP: I CONFREQ [REQsent] id 44 len
> 15
> 03:11:54: BR0:1 LCP: AuthProto CHAP
> (0x0305C22305)
> 03:11:54: BR0:1 LCP: MagicNumber 0x00BB5B0E
> (0x050600BB5B0E)
> 03:11:54: BR0:1 LCP: O CONFACK [REQsent] id 44 len
> 15
> 03:11:54: BR0:1 LCP: AuthProto CHAP
> (0x0305C22305)
> 03:11:54: BR0:1 LCP: MagicNumber 0x00BB5B0E
> (0x050600BB5B0E)
> 03:11:54: BR0:1 LCP: I CONFACK [ACKsent] id 48 len
> 10
> 03:11:54: BR0:1 LCP: MagicNumber 0x00BBF45B
> (0x050600BBF45B)
> 03:11:54: BR0:1 LCP: State is Open
> 03:11:54: BR0:1 PPP: Phase is AUTHENTICATING, by the
> peer
> 03:11:54: BR0:1 CHAP: I CHALLENGE id 38 len 25 from
> "test"
> 03:11:54: BR0:1 CHAP: O RESPONSE id 38 len 23 from
> "r1"
> 03:11:54: BR0:1 CHAP: I SUCCESS id 38 len 4
> 03:11:54: BR0:1 PPP: Phase is UP
> 03:11:54: BR0:1 IPCP: O CONFREQ [Closed] id 22 len
> 10
> 03:11:54: BR0:1 IPCP: Address 148.100.10.1
> (0x030694640A01)
> 03:11:54: BR0:1 CDPCP: O CONFREQ [Closed] id 22 len
> 4
> 03:11:54: BR0:1 IPCP: I CONFREQ [REQsent] id 22 len
> 10
> 03:11:54: BR0:1 IPCP: Address 148.100.10.2
> (0x030694640A02)
> 03:11:54: BR0:1 IPCP: O CONFACK [REQsent] id 22 len
> 10
> 03:11:54: BR0:1 IPCP: Address 148.100.10.2
> (0x030694640A02)
> 03:11:54: BR0:1 CDPCP: I CONFREQ [REQsent] id 22 len
> 4
> 03:11:54: BR0:1 CDPCP: O CONFACK [REQsent] id 22 len
> 4
> 03:11:54: BR0:1 IPCP: I CONFACK [ACKsent] id 22 len
> 10
> 03:11:54: BR0:1 IPCP: Address 148.100.10.1
> (0x030694640A01)
> 03:11:54: BR0:1 IPCP: State is Open
> 03:11:54: BR0:1 CDPCP: I CONFACK [ACKsent] id 22 len
> 4
> 03:11:54: BR0:1 CDPCP: State is Open
> 03:11:55: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface BRI0:1, changed state to up
> r1#
> 03:12:00: %ISDN-6-CONNECT: Interface BRI0:1 is now
> connected to 3016257232 r2
>
>
>
> 03:14:16: BR0:1 PPP: Treating connection as a callin
> 03:14:16: BR0:1 PPP: Phase is ESTABLISHING, Passive
> Open
> 03:14:16: BR0:1 LCP: State is Listen
> 03:14:16: BR0:1 LCP: I CONFREQ [Listen] id 49 len 10
> 03:14:16: BR0:1 LCP: MagicNumber 0x00BEAA7E
> (0x050600BEAA7E)
> 03:14:16: BR0:1 LCP: O CONFREQ [Listen] id 45 len 15
> 03:14:16: BR0:1 LCP: AuthProto CHAP
> (0x0305C22305)
> 03:14:16: BR0:1 LCP: MagicNumber 0x00BE112C
> (0x050600BE112C)
> 03:14:16: BR0:1 LCP: O CONFACK [Listen] id 49 len 10
>
=== message truncated ===
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:22 GMT-3