task 3.5 - chap null authentication

The SG uses 'username Rack1R2/R4' as usernames but the initial config hostnames are RSRack1R2/R4?

Comments

  • Did anyone get this to work - I couldn't use NULL passwords - as CHAP failed.

  • Do you mean enabling CHAP without setting a password?


  • Yes that's right. I couldn't get this to work! Even when following the solution guide. Although it could have been an order of operations thing?


     

     

  • I did a quick lab and got it working. I wasn't using virtual-templates though, back to back serial with PPP on it.

    *Mar  1 00:05:02.623: Se0/0 PPP: Phase is AUTHENTICATING, by this end
    *Mar  1 00:05:02.623: Se0/0 CHAP: O CHALLENGE id 39 len 23 from "R1"
    *Mar  1 00:05:02.647: Se0/0 CHAP: I RESPONSE id 39 len 23 from "R2"
    *Mar  1 00:05:02.647: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
    *Mar  1 00:05:02.651: Se0/0 PPP: Phase is AUTHENTICATING, Unauthenticated User
    *Mar  1 00:05:02.655: Se0/0 PPP: Sent CHAP LOGIN Request
    *Mar  1 00:05:02.659: Se0/0 PPP: Received LOGIN Response PASS
    *Mar  1 00:05:02.663: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
    *Mar  1 00:05:02.667: Se0/0 PPP: Phase is AUTHENTICATING, Authenticated User
    *Mar  1 00:05:02.667: Se0/0 PPP: Sent LCP AUTHOR Request
    *Mar  1 00:05:02.671: Se0/0 PPP: Sent IPCP AUTHOR Request
    *Mar  1 00:05:02.679: Se0/0 LCP: Received AAA AUTHOR Response PASS
    *Mar  1 00:05:02.679: Se0/0 IPCP: Received AAA AUTHOR Response PASS
    *Mar  1 00:05:02.683: Se0/0 CHAP: O SUCCESS id 39 len 4
    *Mar  1 00:05:02.687: Se0/0 PPP: Phase is UP
    *Mar  1 00:05:02.687: Se0/0 IPCP: O CONFREQ [Closed] id 1 len 10
    *Mar  1 00:05:02.687: Se0/0 IPCP:    Address 12.12.12.1 (0x03060C0C0C01)
    *Mar  1 00:05:02.691: Se0/0 PPP: Sent CDPCP AUTHOR Request
    *Mar  1 00:05:02.691: Se0/0 PPP: Process pending ncp packets
    *Mar  1 00:05:02.699: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
    *Mar  1 00:05:02.699: Se0/0 CDPCP: O CONFREQ [Closed] id 1 len 4
    *Mar  1 00:05:02.703: Se0/0 CDPCP: I CONFREQ [REQsent] id 1 len 4
    *Mar  1 00:05:02.707: Se0/0 CDPCP: O CONFACK [REQsent] id 1 len 4
    *Mar  1 00:05:02.707: Se0/0 CDPCP: I CONFACK [ACKsent] id 1 len 4
    *Mar  1 00:05:02.707: Se0/0 CDPCP: State is Open
    *Mar  1 00:05:02.711: Se0/0 IPCP: I CONFREQ [REQsent] id 1 len 10
    *Mar  1 00:05:02.711: Se0/0 IPCP:    Address 12.12.12.2 (0x03060C0C0C02)
    *Mar  1 00:05:02.715: Se0/0 AAA/AUTHOR/IPCP: Start.  Her address 12.12.12.2, we want 0.0.0.0
    *Mar  1 00:05:02.715: Se0/0 PPP: Sent IPCP AUTHOR Request
    *Mar  1 00:05:02.723: Se0/0 AAA/AUTHOR/IPCP: Reject 12.12.12.2, using 0.0.0.0
    *Mar  1 00:05:02.723: Se0/0 AAA/AUTHOR/IPCP: Done.  Her address 12.12.12.2, we want 0.0.0.0
    *Mar  1 00:05:02.727: Se0/0 IPCP: O CONFACK [REQsent] id 1 len 10
    *Mar  1 00:05:02.727: Se0/0 IPCP:    Address 12.12.12.2 (0x03060C0C0C02)
    *Mar  1 00:05:02.727: Se0/0 IPCP: I CONFACK [ACKsent] id 1 len 10
    *Mar  1 00:05:02.727: Se0/0 IPCP:    Address 12.12.12.1 (0x03060C0C0C01)
    *Mar  1 00:05:02.731: Se0/0 IPCP: State is Open
    *Mar  1 00:05:02.739: Se0/0 IPCP: Install route to 12.12.12.2
    *Mar  1 00:05:03.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up

  • Post your configurations.

    --
    Brian Dennis, CCIEx5 #2210 (R&S/ISP-Dial/Security/SP/Voice)
    [email protected]

    Internetwork Expert, Inc.
    http://www.INE.com

    On 02/13/2012 11:44 PM, welshydragon wrote:
    > Did anyone get this to work - I couldn't use NULL passwords - as CHAP
    > failed.
    >
    >
    >
    >
    > INE - The Industry Leader in CCIE Preparation
    > http://www.INE.com
    >
    > Subscription information may be found at:
    > http://www.ieoc.com/forums/ForumSubscriptions.aspx
    > "
  • I did a quick lab and got it working. I wasn't using virtual-templates though, back to back serial with PPP on it.

     

    I repeated my configuration in Dynamips - guess what it worked perfectly - this is my bad - in other words bad configuration.  The work around was to add passwords on each side.

     

     

  • Null password is nothing but setting no password for the username. We can also use "nopassword" keyword with the username instead of no password.

  • We can also use "nopassword" keyword with the username instead of no password.

    Thanks for this useful information - I wasn't aware of this particular option!  It just shows the value of looking at the command reference once in awhile to understand some of the configuration settings that are available to you!

    link to the command reference for username http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/traffic-export_through_zone_security.html#GUID-34B3E43E-0F79-40E8-82B6-A4B5F1AFF1AD

  • actually fwiw i tried using usenrame <R#> nopassword' initially and could not get the interfaces to come up.

     

    *Sep  8 02:35:58.867: Vi1 PPP: Authorization required

    *Sep  8 02:36:00.879: Vi1 CHAP: O CHALLENGE id 56 len 23 from "R2"

    *Sep  8 02:36:00.883: Vi1 CHAP: I CHALLENGE id 95 len 23 from "R4"

    *Sep  8 02:36:00.883: Vi1 CHAP: Unable to authenticate for peer

    *Sep  8 02:36:02.899: Vi1 PPP: Authorization required

    *Sep  8 02:36:04.911: Vi1 CHAP: O CHALLENGE id 57 len 23 from "R2"

    *Sep  8 02:36:04.915: Vi1 CHAP: I CHALLENGE id 96 len 23 from "R4"

    *Sep  8 02:36:04.915: Vi1 CHAP: Unable to authenticate for peer

    *Sep  8 02:36:06.931: Vi1 PPP: Authorization required

    *Sep  8 02:36:08.943: Vi1 CHAP: O CHALLENGE id 58 len 23 from "R2"

    *Sep  8 02:36:08.947: Vi1 CHAP: I CHALLENGE id 97 len 23 from "R4"

    *Sep  8 02:36:08.947: Vi1 CHAP: Unable to authenticate for peer

    *Sep  8 02:36:10.963: Vi1 PPP: Authorization required



    I removed it and just used "username <R#>" on both and it came up immediately.
  • Hi Mike,

    When we configure CHAP in an interafce, basically it requires "ppp chap password <password>" command and in the case of PAP, it requires "ppp pap sent-username <user> password <password>". If you fail to configure "ppp pap sent-username" command, it indicates "Authorization required" log. By default, CHAP sends the hostname as  a username to negotiate PPP authentication but PAP doesn't do that without extra configuration which causes authorization to be failed.

    Good luck!

     

  • Im getting same results, too.  "username <R> nopassword" is workng with local login but not with chap null authentication.

    "username <R>" then works with ppp chap null authentication but no local login

     

    This is with C3640 running IOS 12.4(12) code

    and "ppp chap authentication" on vitual template

     

    can one perform null authentication with pap ?

    cheers

Sign In or Register to comment.