Manuel
asked on
PPPOE and chap authentication not working as expected
Hi All,
Below is the small setup I have.
What I am trying to do is allow R3 the client get an ip address from the server which is R1. Between R1 and R3 I am running chap authentication. In this setup I cannot modify anything on R1 to bring up the connection. All configs have to be completed on R3. Based on my configs it looks good to me. R3 is chanlenging R1 so R1 is responding back with the username and password. By default when using chap the router will send it's hostname as the username. Below are the configs for both R1 and R3. I also attached an output of the "debug ppp negoation". Can you guys please let me know if you see anything wrong? Thank you
R1 Configs(Server):
R1#sh run
Building configuration...
Current configuration : 1325 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.100.1
ip dhcp excluded-address 10.1.100.255
!
ip dhcp pool PPPOE_POOL
network 10.1.100.0 255.255.255.0
username R2 password 0 cisco
!
!
!
!
!
!
bba-group pppoe PPPOE
virtual-template 45
!
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
pppoe enable group PPPOE
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Virtual-Template45
mac-address 0000.1111.1111
mtu 1492
ip address 10.1.100.1 255.255.255.0
peer default ip address pool POOL
ppp authentication chap
!
ip local pool POOL 10.1.100.2 10.1.100.254
end
R3 Configs(Client):
R3#sh run
Building configuration...
Current configuration : 1070 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
username R1 password 0 cisco
!
interface FastEthernet0/0
mac-address 0000.3333.3333
no ip address
speed 100
full-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
ppp authentication chap
!
end
R1 Debug:
R1#
*Mar 1 03:15:36.143: ppp108 PPP: Send Message[Dynamic Bind Response]
*Mar 1 03:15:36.143: ppp108 PPP: Using vpn set call direction
*Mar 1 03:15:36.143: ppp108 PPP: Treating connection as a callin
*Mar 1 03:15:36.143: ppp108 PPP: Session handle[7000078] Session id[108]
*Mar 1 03:15:36.143: ppp108 PPP: Phase is ESTABLISHING, Passive Open
*Mar 1 03:15:36.143: ppp108 LCP: State is Listen
*Mar 1 03:15:36.159: ppp108 LCP: I CONFREQ [Listen] id 1 len 15
*Mar 1 03:15:36.159: ppp108 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:15:36.163: ppp108 LCP: MagicNumber 0x05BF2C3F (0x050605BF2C3F)
*Mar 1 03:15:36.163: ppp108 LCP: O CONFREQ [Listen] id 1 len 19
*Mar 1 03:15:36.163: ppp108 LCP: MRU 1492 (0x010405D4)
*Mar 1 03:15:36.163: ppp108 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:15:36.163: ppp108 LCP: MagicNumber 0x03BF5D26 (0x050603BF5D26)
*Mar 1 03:15:36.163: ppp108 LCP: O CONFACK [Listen] id 1 len 15
*Mar 1 03:15:36.163: ppp108 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:15:36.163: ppp108 LCP: MagicNumber 0x05BF2C3F (0x050605BF2C3F)
*Mar 1 03:15:36.183: ppp108 LCP: I CONFNAK [ACKsent] id 1 len 8
*Mar 1 03:15:36.183: ppp108 LCP: MRU 1500 (0x010405DC)
*Mar 1 03:15:36.183: ppp108 LCP: O CONFREQ [ACKsent] id 2 len 19
*Mar 1 03:15:36.183: ppp108 LCP: MRU 1500 (0x010405DC)
*Mar 1 03:15:36.183: ppp108 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:15:36.183: ppp108 LCP: MagicNumber 0x03BF5D26 (0x050603BF5D26)
*Mar 1 03:15:36.199: ppp108 LCP: I CONFACK [ACKsent] id 2 len 19
*Mar 1 03:15:36.203: ppp108 LCP: MRU 1500 (0x010405DC)
*Mar 1 03:15:36.203: ppp108 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:15:36.203: ppp108 LCP: MagicNumber 0x03BF5D26 (0x050603BF5D26)
*Mar 1 03:15:36.203: ppp108 LCP: State is Open
*Mar 1 03:15:36.203: ppp108 PPP: Phase is AUTHENTICATING, by both
*Mar 1 03:15:36.203: ppp108 CHAP: O CHALLENGE id 1 len 23 from "R1"
*Mar 1 03:15:36.211: ppp108 CHAP: I CHALLENGE id 1 len 23 from "R3"
*Mar 1 03:15:36.211: ppp108 CHAP: Waiting for Peer to authenticate first
*Mar 1 03:15:36.219: ppp108 CHAP: I RESPONSE id 1 len 23 from "R3"
*Mar 1 03:15:36.223: ppp108 PPP: Phase is FORWARDING, Attempting Forward
*Mar 1 03:15:36.223: ppp108 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Mar 1 03:15:36.223: ppp108 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed"
*Mar 1 03:15:36.223: ppp108 PPP: Sending Acct Event[Down] id[72]
*Mar 1 03:15:36.223: ppp108 PPP: Phase is TERMINATING
*Mar 1 03:15:36.223: ppp108 LCP: O TERMREQ [Open] id 3 len 4
*Mar 1 03:15:36.247: ppp108 LCP: I TERMACK [TERMsent] id 3 len 4
*Mar 1 03:15:36.247: ppp108 LCP: State is Closed
*Mar 1 03:15:36.251: ppp108 PPP: Phase is DOWN
*Mar 1 03:15:36.255: ppp108 PPP: Send Message[Disconnect]
R1#
R3 Debug:
R3#
*Mar 1 03:16:08.223: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Mar 1 03:16:08.227: Vi2 PPP: Phase is DOWN, Setup
*Mar 1 03:16:08.227: Vi2 PPP: Using dialer call direction
*Mar 1 03:16:08.227: Vi2 PPP: Treating connection as a callout
*Mar 1 03:16:08.227: Vi2 PPP: Session handle[1B00012B] Session id[0]
*Mar 1 03:16:08.227: Vi2 PPP: Phase is ESTABLISHING, Active Open
*Mar 1 03:16:08.227: Vi2 LCP: O CONFREQ [Closed] id 1 len 15
*Mar 1 03:16:08.227: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:16:08.227: Vi2 LCP: MagicNumber 0x05BFDA52 (0x050605BFDA52)
*Mar 1 03:16:08.227: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Mar 1 03:16:08.239: Vi2 LCP: I CONFREQ [REQsent] id 1 len 19
*Mar 1 03:16:08.243: Vi2 LCP: MRU 1492 (0x010405D4)
*Mar 1 03:16:08.243: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:16:08.243: Vi2 LCP: MagicNumber 0x03C00B31 (0x050603C00B31)
*Mar 1 03:16:08.243: Vi2 LCP: O CONFNAK [REQsent] id 1 len 8
*Mar 1 03:16:08.243: Vi2 LCP: MRU 1500 (0x010405DC)
*Mar 1 03:16:08.255: Vi2 LCP: I CONFACK [REQsent] id 1 len 15
*Mar 1 03:16:08.255: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:16:08.255: Vi2 LCP: MagicNumber 0x05BFDA52 (0x050605BFDA52)
*Mar 1 03:16:08.259: Vi2 LCP: I CONFREQ [ACKrcvd] id 2 len 19
*Mar 1 03:16:08.263: Vi2 LCP: MRU 1500 (0x010405DC)
*Mar 1 03:16:08.263: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:16:08.263: Vi2 LCP: MagicNumber 0x03C00B31 (0x050603C00B31)
*Mar 1 03:16:08.263: Vi2 LCP: O CONFACK [ACKrcvd] id 2 len 19
*Mar 1 03:16:08.263: Vi2 LCP: MRU 1500 (0x010405DC)
*Mar 1 03:16:08.263: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:16:08.263: Vi2 LCP: MagicNumber 0x03C00B31 (0x050603C00B31)
*Mar 1 03:16:08.263: Vi2 LCP: State is Open
*Mar 1 03:16:08.263: Vi2 PPP: Phase is AUTHENTICATING, by both
*Mar 1 03:16:08.263: Vi2 CHAP: O CHALLENGE id 1 len 23 from "R3"
*Mar 1 03:16:08.283: Vi2 CHAP: I CHALLENGE id 1 len 23 from "R1"
*Mar 1 03:16:08.287: Vi2 CHAP: Using hostname from unknown source
*Mar 1 03:16:08.287: Vi2 CHAP: Using password from AAA
*Mar 1 03:16:08.287: Vi2 CHAP: O RESPONSE id 1 len 23 from "R3"
*Mar 1 03:16:08.299: Vi2 CHAP: I FAILURE id 1 len 25 msg is "Authentication failed"
*Mar 1 03:16:08.311: Vi2 LCP: I TERMREQ [Open] id 3 len 4
*Mar 1 03:16:08.315: Vi2 LCP: O TERMACK [Open] id 3 len 4
*Mar 1 03:16:08.315: Vi2 PPP: Sending Acct Event[Down] id[63]
*Mar 1 03:16:08.315: Vi2 PPP: Phase is TERMINATING
*Mar 1 03:16:08.335: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
*Mar 1 03:16:08.335: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R3#
Below is the small setup I have.
What I am trying to do is allow R3 the client get an ip address from the server which is R1. Between R1 and R3 I am running chap authentication. In this setup I cannot modify anything on R1 to bring up the connection. All configs have to be completed on R3. Based on my configs it looks good to me. R3 is chanlenging R1 so R1 is responding back with the username and password. By default when using chap the router will send it's hostname as the username. Below are the configs for both R1 and R3. I also attached an output of the "debug ppp negoation". Can you guys please let me know if you see anything wrong? Thank you
R1 Configs(Server):
R1#sh run
Building configuration...
Current configuration : 1325 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.100.1
ip dhcp excluded-address 10.1.100.255
!
ip dhcp pool PPPOE_POOL
network 10.1.100.0 255.255.255.0
username R2 password 0 cisco
!
!
!
!
!
!
bba-group pppoe PPPOE
virtual-template 45
!
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
pppoe enable group PPPOE
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Virtual-Template45
mac-address 0000.1111.1111
mtu 1492
ip address 10.1.100.1 255.255.255.0
peer default ip address pool POOL
ppp authentication chap
!
ip local pool POOL 10.1.100.2 10.1.100.254
end
R3 Configs(Client):
R3#sh run
Building configuration...
Current configuration : 1070 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
username R1 password 0 cisco
!
interface FastEthernet0/0
mac-address 0000.3333.3333
no ip address
speed 100
full-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
ppp authentication chap
!
end
R1 Debug:
R1#
*Mar 1 03:15:36.143: ppp108 PPP: Send Message[Dynamic Bind Response]
*Mar 1 03:15:36.143: ppp108 PPP: Using vpn set call direction
*Mar 1 03:15:36.143: ppp108 PPP: Treating connection as a callin
*Mar 1 03:15:36.143: ppp108 PPP: Session handle[7000078] Session id[108]
*Mar 1 03:15:36.143: ppp108 PPP: Phase is ESTABLISHING, Passive Open
*Mar 1 03:15:36.143: ppp108 LCP: State is Listen
*Mar 1 03:15:36.159: ppp108 LCP: I CONFREQ [Listen] id 1 len 15
*Mar 1 03:15:36.159: ppp108 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:15:36.163: ppp108 LCP: MagicNumber 0x05BF2C3F (0x050605BF2C3F)
*Mar 1 03:15:36.163: ppp108 LCP: O CONFREQ [Listen] id 1 len 19
*Mar 1 03:15:36.163: ppp108 LCP: MRU 1492 (0x010405D4)
*Mar 1 03:15:36.163: ppp108 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:15:36.163: ppp108 LCP: MagicNumber 0x03BF5D26 (0x050603BF5D26)
*Mar 1 03:15:36.163: ppp108 LCP: O CONFACK [Listen] id 1 len 15
*Mar 1 03:15:36.163: ppp108 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:15:36.163: ppp108 LCP: MagicNumber 0x05BF2C3F (0x050605BF2C3F)
*Mar 1 03:15:36.183: ppp108 LCP: I CONFNAK [ACKsent] id 1 len 8
*Mar 1 03:15:36.183: ppp108 LCP: MRU 1500 (0x010405DC)
*Mar 1 03:15:36.183: ppp108 LCP: O CONFREQ [ACKsent] id 2 len 19
*Mar 1 03:15:36.183: ppp108 LCP: MRU 1500 (0x010405DC)
*Mar 1 03:15:36.183: ppp108 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:15:36.183: ppp108 LCP: MagicNumber 0x03BF5D26 (0x050603BF5D26)
*Mar 1 03:15:36.199: ppp108 LCP: I CONFACK [ACKsent] id 2 len 19
*Mar 1 03:15:36.203: ppp108 LCP: MRU 1500 (0x010405DC)
*Mar 1 03:15:36.203: ppp108 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:15:36.203: ppp108 LCP: MagicNumber 0x03BF5D26 (0x050603BF5D26)
*Mar 1 03:15:36.203: ppp108 LCP: State is Open
*Mar 1 03:15:36.203: ppp108 PPP: Phase is AUTHENTICATING, by both
*Mar 1 03:15:36.203: ppp108 CHAP: O CHALLENGE id 1 len 23 from "R1"
*Mar 1 03:15:36.211: ppp108 CHAP: I CHALLENGE id 1 len 23 from "R3"
*Mar 1 03:15:36.211: ppp108 CHAP: Waiting for Peer to authenticate first
*Mar 1 03:15:36.219: ppp108 CHAP: I RESPONSE id 1 len 23 from "R3"
*Mar 1 03:15:36.223: ppp108 PPP: Phase is FORWARDING, Attempting Forward
*Mar 1 03:15:36.223: ppp108 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Mar 1 03:15:36.223: ppp108 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed"
*Mar 1 03:15:36.223: ppp108 PPP: Sending Acct Event[Down] id[72]
*Mar 1 03:15:36.223: ppp108 PPP: Phase is TERMINATING
*Mar 1 03:15:36.223: ppp108 LCP: O TERMREQ [Open] id 3 len 4
*Mar 1 03:15:36.247: ppp108 LCP: I TERMACK [TERMsent] id 3 len 4
*Mar 1 03:15:36.247: ppp108 LCP: State is Closed
*Mar 1 03:15:36.251: ppp108 PPP: Phase is DOWN
*Mar 1 03:15:36.255: ppp108 PPP: Send Message[Disconnect]
R1#
R3 Debug:
R3#
*Mar 1 03:16:08.223: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Mar 1 03:16:08.227: Vi2 PPP: Phase is DOWN, Setup
*Mar 1 03:16:08.227: Vi2 PPP: Using dialer call direction
*Mar 1 03:16:08.227: Vi2 PPP: Treating connection as a callout
*Mar 1 03:16:08.227: Vi2 PPP: Session handle[1B00012B] Session id[0]
*Mar 1 03:16:08.227: Vi2 PPP: Phase is ESTABLISHING, Active Open
*Mar 1 03:16:08.227: Vi2 LCP: O CONFREQ [Closed] id 1 len 15
*Mar 1 03:16:08.227: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:16:08.227: Vi2 LCP: MagicNumber 0x05BFDA52 (0x050605BFDA52)
*Mar 1 03:16:08.227: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Mar 1 03:16:08.239: Vi2 LCP: I CONFREQ [REQsent] id 1 len 19
*Mar 1 03:16:08.243: Vi2 LCP: MRU 1492 (0x010405D4)
*Mar 1 03:16:08.243: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:16:08.243: Vi2 LCP: MagicNumber 0x03C00B31 (0x050603C00B31)
*Mar 1 03:16:08.243: Vi2 LCP: O CONFNAK [REQsent] id 1 len 8
*Mar 1 03:16:08.243: Vi2 LCP: MRU 1500 (0x010405DC)
*Mar 1 03:16:08.255: Vi2 LCP: I CONFACK [REQsent] id 1 len 15
*Mar 1 03:16:08.255: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:16:08.255: Vi2 LCP: MagicNumber 0x05BFDA52 (0x050605BFDA52)
*Mar 1 03:16:08.259: Vi2 LCP: I CONFREQ [ACKrcvd] id 2 len 19
*Mar 1 03:16:08.263: Vi2 LCP: MRU 1500 (0x010405DC)
*Mar 1 03:16:08.263: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:16:08.263: Vi2 LCP: MagicNumber 0x03C00B31 (0x050603C00B31)
*Mar 1 03:16:08.263: Vi2 LCP: O CONFACK [ACKrcvd] id 2 len 19
*Mar 1 03:16:08.263: Vi2 LCP: MRU 1500 (0x010405DC)
*Mar 1 03:16:08.263: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 03:16:08.263: Vi2 LCP: MagicNumber 0x03C00B31 (0x050603C00B31)
*Mar 1 03:16:08.263: Vi2 LCP: State is Open
*Mar 1 03:16:08.263: Vi2 PPP: Phase is AUTHENTICATING, by both
*Mar 1 03:16:08.263: Vi2 CHAP: O CHALLENGE id 1 len 23 from "R3"
*Mar 1 03:16:08.283: Vi2 CHAP: I CHALLENGE id 1 len 23 from "R1"
*Mar 1 03:16:08.287: Vi2 CHAP: Using hostname from unknown source
*Mar 1 03:16:08.287: Vi2 CHAP: Using password from AAA
*Mar 1 03:16:08.287: Vi2 CHAP: O RESPONSE id 1 len 23 from "R3"
*Mar 1 03:16:08.299: Vi2 CHAP: I FAILURE id 1 len 25 msg is "Authentication failed"
*Mar 1 03:16:08.311: Vi2 LCP: I TERMREQ [Open] id 3 len 4
*Mar 1 03:16:08.315: Vi2 LCP: O TERMACK [Open] id 3 len 4
*Mar 1 03:16:08.315: Vi2 PPP: Sending Acct Event[Down] id[63]
*Mar 1 03:16:08.315: Vi2 PPP: Phase is TERMINATING
*Mar 1 03:16:08.335: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
*Mar 1 03:16:08.335: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R3#
ASKER
I cannot use "ppp chap hostname R2" since that is being used for authentication of another which is really called R2.
Based on the solution I am being told is I only need:
"username R1 password cisco" and "ppp authentication chap" on R3's interface. However, when I do this the link still doesn't come up.
Based on the solution I am being told is I only need:
"username R1 password cisco" and "ppp authentication chap" on R3's interface. However, when I do this the link still doesn't come up.
create some username/password
like
ppp chap username <<>> password <<>>
use either chap or pap at both end ..keep it same
like
ppp chap username <<>> password <<>>
use either chap or pap at both end ..keep it same
May I ask why you are not able to modify the configuration of R1? Is this in a lab environment of some sort?
ASKER
Yes correct. I cannot modify R1 since it's a lab environment. So I am trying to bring up the link by only modifying R3's side. By me configuring "ppp authentication chap" on R3's interface I can challenge R1 and R1 can send the username of R1 and the password of cisco. In R3's local user database I already have the following configured "username R1 password cisco" which should allow the authentication to be successful.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No this is not from school but for my certification studies. The task states I cannot modify R1. So I cannot enter the "username R3 password 0 cisco" command under R1. I know I can modify R3 with "ppp chap username R2" and this will work since R1 already has that username in it's local database. However, that solution would be wrong since "username R2 password cisco" is for the link that goes to R2.
For reference can you let me know what Lab this exercise is from, such as the book and the exercise number. Also what certification test is this for? CCNA?
ASKER
Well I came up with this scenario from reading around. However, I am currently studying for my CCIE R&S.
"ppp chap hostname R2"
If the authentication still fails create the R2 username and associated password that is on R1 so that the username and passwords match.