PPPOE and chap authentication not working as expected

Hi All,

 

    Below is the small setup I have.

 

What I am trying to do is allow R3 the client get an ip address from the server which is R1. Between R1 and R3 I am running chap authentication. In this setup I cannot modify anything on R1 to bring up the connection. All configs have to be completed on R3. Based on my configs it looks good to me. R3 is chanlenging R1 so R1 is responding back with the username and password. By default when using chap the router will send it's hostname as the username. Below are the configs for both R1 and R3. I also attached an output of the "debug ppp negoation". Can you guys please let me know if you see anything wrong? Thank you




Diagram
 

R1 Configs(Server):

 

R1#sh run

Building configuration...

 

Current configuration : 1325 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.1.100.1

ip dhcp excluded-address 10.1.100.255

!

ip dhcp pool PPPOE_POOL

   network 10.1.100.0 255.255.255.0

 

username R2 password 0 cisco

!

!

!

!

!

!

bba-group pppoe PPPOE

virtual-template 45

!

!

interface FastEthernet0/0

no ip address

speed 100

full-duplex

pppoe enable group PPPOE

!

interface Serial0/0

no ip address

shutdown

clock rate 2000000

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

clock rate 2000000

!

interface Serial0/2

no ip address

shutdown

clock rate 2000000

!

interface Virtual-Template45

mac-address 0000.1111.1111

mtu 1492

ip address 10.1.100.1 255.255.255.0

peer default ip address pool POOL

ppp authentication chap

!

ip local pool POOL 10.1.100.2 10.1.100.254

 

end

 

 

R3 Configs(Client):

 

R3#sh run

Building configuration...

 

Current configuration : 1070 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

username R1 password 0 cisco

!

 

interface FastEthernet0/0

mac-address 0000.3333.3333

no ip address

speed 100

full-duplex

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Serial0/0

no ip address

shutdown

clock rate 2000000

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

clock rate 2000000

!

interface Serial0/2

no ip address

shutdown

clock rate 2000000

!

interface Dialer1

ip address negotiated

encapsulation ppp

dialer pool 1

ppp authentication chap

!

 

end

 

 

R1 Debug:

 

R1#

*Mar  1 03:15:36.143: ppp108 PPP: Send Message[Dynamic Bind Response]

*Mar  1 03:15:36.143: ppp108 PPP: Using vpn set call direction

*Mar  1 03:15:36.143: ppp108 PPP: Treating connection as a callin

*Mar  1 03:15:36.143: ppp108 PPP: Session handle[7000078] Session id[108]

*Mar  1 03:15:36.143: ppp108 PPP: Phase is ESTABLISHING, Passive Open

*Mar  1 03:15:36.143: ppp108 LCP: State is Listen

*Mar  1 03:15:36.159: ppp108 LCP: I CONFREQ [Listen] id 1 len 15

*Mar  1 03:15:36.159: ppp108 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 03:15:36.163: ppp108 LCP:    MagicNumber 0x05BF2C3F (0x050605BF2C3F)

*Mar  1 03:15:36.163: ppp108 LCP: O CONFREQ [Listen] id 1 len 19

*Mar  1 03:15:36.163: ppp108 LCP:    MRU 1492 (0x010405D4)

*Mar  1 03:15:36.163: ppp108 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 03:15:36.163: ppp108 LCP:    MagicNumber 0x03BF5D26 (0x050603BF5D26)

*Mar  1 03:15:36.163: ppp108 LCP: O CONFACK [Listen] id 1 len 15

*Mar  1 03:15:36.163: ppp108 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 03:15:36.163: ppp108 LCP:    MagicNumber 0x05BF2C3F (0x050605BF2C3F)

*Mar  1 03:15:36.183: ppp108 LCP: I CONFNAK [ACKsent] id 1 len 8

*Mar  1 03:15:36.183: ppp108 LCP:    MRU 1500 (0x010405DC)

*Mar  1 03:15:36.183: ppp108 LCP: O CONFREQ [ACKsent] id 2 len 19

*Mar  1 03:15:36.183: ppp108 LCP:    MRU 1500 (0x010405DC)

*Mar  1 03:15:36.183: ppp108 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 03:15:36.183: ppp108 LCP:    MagicNumber 0x03BF5D26 (0x050603BF5D26)

*Mar  1 03:15:36.199: ppp108 LCP: I CONFACK [ACKsent] id 2 len 19

*Mar  1 03:15:36.203: ppp108 LCP:    MRU 1500 (0x010405DC)

*Mar  1 03:15:36.203: ppp108 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 03:15:36.203: ppp108 LCP:    MagicNumber 0x03BF5D26 (0x050603BF5D26)

*Mar  1 03:15:36.203: ppp108 LCP: State is Open

*Mar  1 03:15:36.203: ppp108 PPP: Phase is AUTHENTICATING, by both

*Mar  1 03:15:36.203: ppp108 CHAP: O CHALLENGE id 1 len 23 from "R1"

*Mar  1 03:15:36.211: ppp108 CHAP: I CHALLENGE id 1 len 23 from "R3"

*Mar  1 03:15:36.211: ppp108 CHAP: Waiting for Peer to authenticate first

*Mar  1 03:15:36.219: ppp108 CHAP: I RESPONSE id 1 len 23 from "R3"

*Mar  1 03:15:36.223: ppp108 PPP: Phase is FORWARDING, Attempting Forward

*Mar  1 03:15:36.223: ppp108 PPP: Phase is AUTHENTICATING, Unauthenticated User

*Mar  1 03:15:36.223: ppp108 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed"

*Mar  1 03:15:36.223: ppp108 PPP: Sending Acct Event[Down] id[72]

*Mar  1 03:15:36.223: ppp108 PPP: Phase is TERMINATING

*Mar  1 03:15:36.223: ppp108 LCP: O TERMREQ [Open] id 3 len 4

*Mar  1 03:15:36.247: ppp108 LCP: I TERMACK [TERMsent] id 3 len 4

*Mar  1 03:15:36.247: ppp108 LCP: State is Closed

*Mar  1 03:15:36.251: ppp108 PPP: Phase is DOWN

*Mar  1 03:15:36.255: ppp108 PPP: Send Message[Disconnect]

R1#

 

 

R3 Debug:

 

R3#

*Mar  1 03:16:08.223: %DIALER-6-BIND: Interface Vi2 bound to profile Di1

*Mar  1 03:16:08.227: Vi2 PPP: Phase is DOWN, Setup

*Mar  1 03:16:08.227: Vi2 PPP: Using dialer call direction

*Mar  1 03:16:08.227: Vi2 PPP: Treating connection as a callout

*Mar  1 03:16:08.227: Vi2 PPP: Session handle[1B00012B] Session id[0]

*Mar  1 03:16:08.227: Vi2 PPP: Phase is ESTABLISHING, Active Open

*Mar  1 03:16:08.227: Vi2 LCP: O CONFREQ [Closed] id 1 len 15

*Mar  1 03:16:08.227: Vi2 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 03:16:08.227: Vi2 LCP:    MagicNumber 0x05BFDA52 (0x050605BFDA52)

*Mar  1 03:16:08.227: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up

*Mar  1 03:16:08.239: Vi2 LCP: I CONFREQ [REQsent] id 1 len 19

*Mar  1 03:16:08.243: Vi2 LCP:    MRU 1492 (0x010405D4)

*Mar  1 03:16:08.243: Vi2 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 03:16:08.243: Vi2 LCP:    MagicNumber 0x03C00B31 (0x050603C00B31)

*Mar  1 03:16:08.243: Vi2 LCP: O CONFNAK [REQsent] id 1 len 8

*Mar  1 03:16:08.243: Vi2 LCP:    MRU 1500 (0x010405DC)

*Mar  1 03:16:08.255: Vi2 LCP: I CONFACK [REQsent] id 1 len 15

*Mar  1 03:16:08.255: Vi2 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 03:16:08.255: Vi2 LCP:    MagicNumber 0x05BFDA52 (0x050605BFDA52)

*Mar  1 03:16:08.259: Vi2 LCP: I CONFREQ [ACKrcvd] id 2 len 19

*Mar  1 03:16:08.263: Vi2 LCP:    MRU 1500 (0x010405DC)

*Mar  1 03:16:08.263: Vi2 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 03:16:08.263: Vi2 LCP:    MagicNumber 0x03C00B31 (0x050603C00B31)

*Mar  1 03:16:08.263: Vi2 LCP: O CONFACK [ACKrcvd] id 2 len 19

*Mar  1 03:16:08.263: Vi2 LCP:    MRU 1500 (0x010405DC)

*Mar  1 03:16:08.263: Vi2 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 03:16:08.263: Vi2 LCP:    MagicNumber 0x03C00B31 (0x050603C00B31)

*Mar  1 03:16:08.263: Vi2 LCP: State is Open

*Mar  1 03:16:08.263: Vi2 PPP: Phase is AUTHENTICATING, by both

*Mar  1 03:16:08.263: Vi2 CHAP: O CHALLENGE id 1 len 23 from "R3"

*Mar  1 03:16:08.283: Vi2 CHAP: I CHALLENGE id 1 len 23 from "R1"

*Mar  1 03:16:08.287: Vi2 CHAP: Using hostname from unknown source

*Mar  1 03:16:08.287: Vi2 CHAP: Using password from AAA

*Mar  1 03:16:08.287: Vi2 CHAP: O RESPONSE id 1 len 23 from "R3"

*Mar  1 03:16:08.299: Vi2 CHAP: I FAILURE id 1 len 25 msg is "Authentication failed"

*Mar  1 03:16:08.311: Vi2 LCP: I TERMREQ [Open] id 3 len 4

*Mar  1 03:16:08.315: Vi2 LCP: O TERMACK [Open] id 3 len 4

*Mar  1 03:16:08.315: Vi2 PPP: Sending Acct Event[Down] id[63]

*Mar  1 03:16:08.315: Vi2 PPP: Phase is TERMINATING

*Mar  1 03:16:08.335: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1

*Mar  1 03:16:08.335: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down

R3#
vreyesiiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BigPapaGottiCommented:
On R3 you need to specify the alternate hostname to be used for the challenge. This is accomplished with the command below that you need to apply under the appropriate interface:

"ppp chap hostname R2"

If the authentication still fails create the R2 username and associated password that is on R1 so that the username and passwords match.
0
vreyesiiAuthor Commented:
I cannot use "ppp chap hostname R2" since that is being used for authentication of another which is really called R2.

Based on the solution I am being told is I only need:

"username R1 password cisco" and "ppp authentication chap" on R3's interface. However, when I do this the link still doesn't come up.
0
Sandeep GuptaConsultantCommented:
create some username/password

like

ppp chap username <<>> password <<>>


use either chap or pap at both end ..keep it same
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

BigPapaGottiCommented:
May I ask why you are not able to modify the configuration of R1? Is this in a lab environment of some sort?
0
vreyesiiAuthor Commented:
Yes correct. I cannot modify R1 since it's a lab environment. So I am trying to bring up the link by only modifying R3's side. By me configuring "ppp authentication chap" on R3's interface I can challenge R1 and R1 can send the username of R1 and the password of cisco. In R3's local user database I already have the following configured "username R1 password cisco" which should allow the authentication to be successful.
0
BigPapaGottiCommented:
Is this some sort of assignment you have been given for school? I was able to get this to work properly by issuing the following commands on each respected router. I know that you are not able to modify R1 but if this is some sort of homework/lab assignment I am curious whether or not there is an error. Can you give me some details/background on this and perhaps I can better assist you?

On R1 enter the following commands:
"usernamr R3 password 0 cisco"

On R3 enter the following commands underneath the Dialer interface:
"ppp chap hostname R3"
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vreyesiiAuthor Commented:
No this is not from school but for my certification studies. The task states I cannot modify R1. So I cannot enter the "username R3 password 0 cisco" command under R1. I know I can modify R3 with "ppp chap username R2" and this will work since R1 already has that username in it's local database. However, that solution would be wrong since "username R2 password cisco" is for the link that goes to R2.
0
BigPapaGottiCommented:
For reference can you let me know what Lab this exercise is from, such as the book and the exercise number. Also what certification test is this for? CCNA?
0
vreyesiiAuthor Commented:
Well I came up with this scenario from reading around. However, I am currently studying for my CCIE R&S.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.