Configuring PPP Authentication # Method2
In this example we will be configuring PPP authentication with an alternate method. We are going to instruct the router to send different credentials (other than it\’s own hostname) to the other side. In contrast to the previous method, this works even if you change the routers name.
required steps
To do this we need to create a new useraccount on each router and define a desired username to send when challenged for authentication.
optional commands
If you haven\’t done it already you should issue the service password-encryption command to encrypt all clear text passwords in the configuration.
before you begin
It\’s always a good idea to enable some debugging before making any changes, so you can see the process and understand what is happening in the background. Use the debug ppp authentication command.
configuration
First enable debugging on R1.
R1
R1#debug ppp authentication PPP authentication debugging is on R1#
Now create a new user account and specify a username to send to R2.
The username we are going to use here must be the same as specified on R2 as the username to send to R1!
R1#conf terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#username AUTH_R2 password R0ut3r
Finally select the interface and specify the username to send to R2.
R1(config)#interface s0/0 R1(config-if)#ppp chap hostname AUTH_R1 R1(config-if)# *Mar 1 12:12:15.694: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down *Mar 1 12:12:16.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down *Mar 1 12:12:53.376: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up *Mar 1 12:12:53.376: Se0/0 PPP: Using default call direction *Mar 1 12:12:53.376: Se0/0 PPP: Treating connection as a dedicated line *Mar 1 12:12:53.376: Se0/0 PPP: Session handle[EC00000C] Session id[11] *Mar 1 12:12:53.376: Se0/0 PPP: Authorization required *Mar 1 12:12:53.384: Se0/0 CHAP: O CHALLENGE id 5 len 28 from "AUTH_R1" *Mar 1 12:12:53.384: Se0/0 CHAP: I CHALLENGE id 2 len 23 from "R2" *Mar 1 12:12:53.388: Se0/0 CHAP: Using hostname from interface CHAP *Mar 1 12:12:53.388: Se0/0 CHAP: Using password from AAA
Using hostname from interface CHAP = AUTH_R1
Now R2. Create a user and shut down the interface before configuring so the debug messages won\’t fill the screen.
R2#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#username AUTH_R1 password R0ut3r
R2(config)#interface s0/0
R2(config-if)#shutdown
R2(config-if)#
*Mar 1 17:09:13.659: %LINK-5-CHANGED: Interface Serial0/0, changed state to administratively down
Set the username to send out and enable debugging.
R2
R2(config-if)#ppp chap hostname AUTH_R2
R2(config-if)#do debug ppp authentication
PPP authentication debugging is on
The do command can be used to execute EXEC level commands from global configuration or other modes. It requires IOS version 12.0(20)S or higher.
Now enable the interface
R2(config-if)#no shutdown R2(config-if)# *Mar 1 17:10:40.389: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up *Mar 1 17:10:40.389: Se0/0 PPP: Using default call direction *Mar 1 17:10:40.389: Se0/0 PPP: Treating connection as a dedicated line *Mar 1 17:10:40.393: Se0/0 PPP: Session handle[A8000093] Session id[146] *Mar 1 17:10:40.393: Se0/0 PPP: Authorization required *Mar 1 17:10:40.401: Se0/0 CHAP: O CHALLENGE id 136 len 28 from "AUTH_R2" *Mar 1 17:10:40.401: Se0/0 CHAP: I CHALLENGE id 139 len 28 from "AUTH_R1" *Mar 1 17:10:40.409: Se0/0 CHAP: Using hostname from interface CHAP *Mar 1 17:10:40.409: Se0/0 CHAP: Using password from AAA *Mar 1 17:10:40.409: Se0/0 CHAP: O RESPONSE id 139 len 28 from "AUTH_R2" *Mar 1 17:10:40.413: Se0/0 CHAP: I RESPONSE id 136 len 28 from "AUTH_R1" *Mar 1 17:10:40.417: Se0/0 PPP: Sent CHAP LOGIN Request *Mar 1 17:10:40.421: Se0/0 PPP: Received LOGIN Response PASS *Mar 1 17:10:40.421: Se0/0 CHAP: I SUCCESS id 139 len 4 *Mar 1 17:10:40.425: Se0/0 PPP: Sent LCP AUTHOR Request *Mar 1 17:10:40.429: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 1 17:10:40.433: Se0/0 LCP: Received AAA AUTHOR Response PASS *Mar 1 17:10:40.433: Se0/0 IPCP: Received AAA AUTHOR Response PASS *Mar 1 17:10:40.433: Se0/0 CHAP: O SUCCESS id 136 len 4 *Mar 1 17:10:40.437: Se0/0 PPP: Sent CDPCP AUTHOR Request *Mar 1 17:10:40.441: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 1 17:10:40.449: Se0/0 CDPCP: Received AAA AUTHOR Response PASS *Mar 1 17:10:41.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
And here it is, the whole process in front of your eyes! First the interface comes up, then the negotiation begins using the name we set on the interface and the password from the local user account. Finally the line protocol comes up.
verification
You should be able to ping one router from the other and you can check the running configuration.
R2#show run | section interface Serial0/0
interface Serial0/0
description LINK TO R1
ip address 192.168.1.2 255.255.255.252
encapsulation ppp
clock rate 128000
ppp authentication chap
ppp chap hostname AUTH_R2
R2#
commands explained
Commands used with a brief explanation.
debug ppp authentication: Enables debugging of ppp authentication
username AUTH_R2 password R0ut3r: Creates a user called R2 with a password C1sc0
ppp chap hostname AUTH_R1: Creates a user called AUTH_R1 with a password R0ut3r
do debug ppp authentication: Enables debugging from interface configuration mode
show run | section interface Serial0/0: Shows the Serial0/0 section of the running configuration