Foreward: An ALU is an Autonomous Learning Unit, you can read this post to learn more about them.
Managers are concerned about the security of the serial link between R2 and R3. Configure R3 to send a secure challenge to R2. R3 is expecting the username "Router2" and the password CISCO.
Highlight below for the solution:
Solution:
R3:
interface Serial1/3
encapsulation ppp
ppp authentication chap
username Router2 password CISCO
R2:
interface Serial0/1
encapsulation ppp
serial restart-delay 0
ppp chap hostname Router2
ppp chap password CISCO
Confirmation:
R3#debug ppp authentication
! clip
Se1/3 CHAP: O CHALLENGE id 17 len 28 from "Rack1R3"
Se1/3 CHAP: I RESPONSE id 17 len 23 from "Router2"
(Note, the "debug ppp authentication" command can be very noisy if your authentication is not working. It is recommended to turn off console logging, and log this debug command to the buffer and display it using "show logging")
Explanation:
Many CCIE candidates are used to configuring bidirectional authentication, where both routers involved challenge each other. It is important to practice single directional authentication, where one router requires the other router to authenticate, but not vice vs.
PPP has two methods of authentication, CHAP and PAP. PAP is a plain text password exchange, whereas CHAP is a secure challenge, where the password is never passed over the wire. This question requires R3 to "send a secure challenge," which cues us to use CHAP instead of PAP.
By default, CHAP will send the router's hostname, but this question requires us to use "R2" as a CHAP username, instead of the router's hostname.
In the above "debug ppp authentication" output we can see that R3 is sending a challenge, and R2 is responding with the username "Router2." We can also see that R2 is not sending a challenge to R3, which is the requested behavior.
DocCD items to reference:
Configuration Guide (Note, scroll down to "Non-AAA Authentication Methods," "Enabling CHAP or PAP Authentication"
Posts
No comments:
Post a Comment