Tuesday, February 17, 2009

ALU - PPP Authentication Part 1

Foreward: An ALU is an Autonomous Learning Unit, you can read this post to learn more about them.



 

Managers are concerned about the security of the serial link between R2 and R3.  Configure R3 to send a secure challenge to R2.  R3 is expecting the username "Router2" and the password CISCO.

 

 

 

Highlight below for the solution:

 

Solution:

R3:

interface Serial1/3

  encapsulation ppp

  ppp authentication chap

  username Router2 password CISCO

 

R2:

interface Serial0/1

  encapsulation ppp

  serial restart-delay 0

  ppp chap hostname Router2

  ppp chap password CISCO

 

Confirmation:

R3#debug ppp authentication

  ! clip

  Se1/3 CHAP: O CHALLENGE id 17 len 28 from "Rack1R3"

  Se1/3 CHAP: I RESPONSE id 17 len 23 from "Router2"

(Note, the "debug ppp authentication" command can be very noisy if your authentication is not working.  It is recommended to turn off console logging, and log this debug command to the buffer and display it using "show logging")

 

Explanation:

Many CCIE candidates are used to configuring bidirectional authentication, where both routers involved challenge each other.  It is important to practice single directional authentication, where one router requires the other router to authenticate, but not vice vs.

 

PPP has two methods of authentication, CHAP and PAP.  PAP is a plain text password exchange, whereas CHAP is a secure challenge, where the password is never passed over the wire.  This question requires R3 to "send a secure challenge," which cues us to use CHAP instead of PAP. 

 

By default, CHAP will send the router's hostname, but this question requires us to use "R2" as a CHAP username, instead of the router's hostname.

 

In the above "debug ppp authentication" output we can see that R3 is sending a challenge, and R2 is responding with the username "Router2."  We can also see that R2 is not sending a challenge to R3, which is the requested behavior.

 

DocCD items to reference:

Configuration Guide (Note, scroll down to "Non-AAA Authentication Methods," "Enabling CHAP or PAP Authentication"

ppp authentication

ppp chap hostname

ppp chap password

 

No comments:

Post a Comment