RE: ISDN PAP authentication problem

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Fri Aug 08 2003 - 14:35:06 GMT-3

• Next message: ccie2be: "Re: Dlsw over an ISDN link used as a backup for another link"
• Previous message: Jung, Jin: "RE: ISIS over Frame Relay"
• Maybe in reply to: Alec Pun: "ISDN PAP authentication problem"
• Next in thread: huangg: "Re: ISDN PAP authentication problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

There are two options when putting the password in for the ppp pap
sent-username command. The first is to enter the password in clear text.

ppp pap sent-username cisco password cisco
or
ppp pap sent-username cisco password 0 cisco

The second option is to enter your password after it has already been
encrypted using Cisco's standard encryption algorithm.

ppp pap sent-username cisco password 7 070C285F4D06

The second option is just telling the router that the password is
already in encrypted format. This encryption only pertains to how the
password is stored in the configuration and doesn't mean the password
will be sent across the line in encrypted format.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
 
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Alec Pun
Sent: Friday, August 08, 2003 1:21 AM
To: Brian Dennis; ccielab@groupstudy.com
Subject: Re: ISDN PAP authentication problem

Thanks for your very kind assistance.

Yes you right, the problem was that I merely copied the ppp pap line
from
bri0 interface to the dialer1 interface and didn't aware the encrypted
characters are different every time.

BTW, when I typed "ppp pap sent-username R5 password cisco" under
interface
bri0, and then do a show run, the line becomes "ppp pap sent-username R5
password 7 110A1016141D". Why does the encryption type=7 actually mean
as
pap should be just sending cleartext password ?

regards,
alec
----- Original Message -----
From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: "'Alec Pun'" <clapun@graduate.hku.hk>; <ccielab@groupstudy.com>
Sent: Friday, August 08, 2003 2:58 PM
Subject: RE: ISDN PAP authentication problem

> As a side note you can tell that the dialer interface's pap password
> isn't "cisco" just by looking at it.
>
> They way you can tell that the password under the dialer interface
isn't
> "cisco" is because "cisco" when encrypted using Cisco's standard
> encryption algorithm will output a string that is always 12
> digits/characters long ((encrypt string-2)/2). The password under the
> dialer interface when unencrypted is 6 digits/characters long.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Brian Dennis
> Sent: Thursday, August 07, 2003 11:17 PM
> To: 'Alec Pun'; ccielab@groupstudy.com
> Subject: RE: ISDN PAP authentication problem
>
> Reset the pap password under the dialer interface on R5 to cisco and
it
> should work. It looks like there are some extra characters after cisco
> in
> the password.
>
> ppp pap sent-username R5 password cisco
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Alec
> Pun
> Sent: Thursday, August 07, 2003 10:51 PM
> To: ccielab@groupstudy.com
> Subject: ISDN PAP authentication problem
>
> Hi group,
>
> I am trying PAP authentication over ISDN and hit into some problem.
One
> side R5 is using dialer profile whereas the other one R6 is using
legacy
> configuration. However, ISDN connection can't be established because
of
> the
> PAP authentication failure.
>
> I've tried both sides using legacy configuration and it works.
Grateful
> if
> any one can give me some hints, thanks.
>
> regards,
> alec
>
------------------------------------------------------------------------
>
> hostname R5
> !
> !
> username R6 password 0 cisco
>
> interface BRI0
> no ip address
> encapsulation ppp
> dialer pool-member 1
> isdn switch-type basic-net3
> isdn spid1 81049306240101
> isdn spid2 81049306250101
> ppp pap sent-username R5 password 7 030752180500
> !
> interface Dialer1
> ip address 1.1.1.5 255.255.255.0
> encapsulation ppp
> dialer pool 1
> dialer remote-name R6
> dialer string 4930622
> dialer-group 1
> pulse-time 0
> ppp authentication pap
> ppp pap sent-username R5 password 7 104D000A061852
> !
> dialer-list 1 protocol ip permit
>
>
> hostname R6
> !
> !
> username R5 password 0 cisco
>
> interface BRI0
> ip address 1.1.1.6 255.255.255.0
> encapsulation ppp
> dialer-group 1
> isdn switch-type basic-net3
> isdn spid1 81049306220101
> isdn spid2 81049306230101
> ppp authentication pap
> ppp pap sent-username R6 password 7 030752180500
> !
> ip classless
> ip http server
> !
> dialer-list 1 protocol ip permit
> !
>
> R5#ping 1.1.1.6
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 1.1.1.6, timeout is 2 seconds:
>
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> 1d20h: BR0:1 PPP: Treating connection as a callout
> 1d20h: BR0:1 PAP: O AUTH-REQ id 44 len 14 from "R5"
> 1d20h: BR0:1 PAP: I AUTH-NAK id 44 len 27 msg is "Authentication
> failure"
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> 1d20h: BR0:1 PPP: Treating connection as a callout
> 1d20h: BR0:1 PAP: O AUTH-REQ id 45 len 14 from "R5"
> 1d20h: BR0:1 PAP: I AUTH-NAK id 45 len 27 msg is "Authentication
> failure"
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> 1d20h: BR0:1 PPP: Treating connection as a callout
> 1d20h: BR0:1 PAP: O AUTH-REQ id 46 len 14 from "R5"
> 1d20h: BR0:1 PAP: I AUTH-NAK id 46 len 27 msg is "Authentication
> failure"
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> 1d20h: BR0:1 PPP: Treating connection as a callout
> 1d20h: BR0:1 PAP: O AUTH-REQ id 47 len 14 from "R5"
> 1d20h: BR0:1 PAP: I AUTH-NAK id 47 len 27 msg is "Authentication
> failure"
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> 1d20h: BR0:1 PPP: Treating connection as a callout
> 1d20h: BR0:1 PAP: O AUTH-REQ id 48 len 14 from "R5"
> 1d20h: BR0:1 PAP: I AUTH-NAK id 48 len 27 msg is "Authentication
> failure"
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> Success rate is 0 percent (0/5)
> R5#
> 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
>
>
>

• Next message: ccie2be: "Re: Dlsw over an ISDN link used as a backup for another link"
• Previous message: Jung, Jin: "RE: ISIS over Frame Relay"
• Maybe in reply to: Alec Pun: "ISDN PAP authentication problem"
• Next in thread: huangg: "Re: ISDN PAP authentication problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:56 GMT-3