Home  >  Cisco / Security

Configuring PPP Authentication # Method2

Published date

Last modified date

Comments: 0

In this example we will be configuring PPP authentication with an alternate method. We are going to instruct the router to send different credentials (other than it\’s own hostname) to the other side. In contrast to the previous method, this works even if you change the routers name.

required steps

To do this we need to create a new useraccount on each router and define a desired username to send when challenged for authentication.

optional commands

If you haven\’t done it already you should issue the service password-encryption command to encrypt all clear text passwords in the configuration.

before you begin

It\’s always a good idea to enable some debugging before making any changes, so you can see the process and understand what is happening in the background. Use the debug ppp authentication command.

configuration

First enable debugging on R1.

R1

R1#debug ppp authentication
PPP authentication debugging is on
R1#

Now create a new user account and specify a username to send to R2.

The username we are going to use here must be the same as specified on R2 as the username to send to R1! 

R1#conf terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#username AUTH_R2 password R0ut3r

Finally select the interface and specify the username to send to R2.

R1(config)#interface s0/0
R1(config-if)#ppp chap hostname AUTH_R1
R1(config-if)#
*Mar  1 12:12:15.694: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down
*Mar  1 12:12:16.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
*Mar  1 12:12:53.376: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 12:12:53.376: Se0/0 PPP: Using default call direction
*Mar  1 12:12:53.376: Se0/0 PPP: Treating connection as a dedicated line
*Mar  1 12:12:53.376: Se0/0 PPP: Session handle[EC00000C] Session id[11]
*Mar  1 12:12:53.376: Se0/0 PPP: Authorization required
*Mar  1 12:12:53.384: Se0/0 CHAP: O CHALLENGE id 5 len 28 from "AUTH_R1"
*Mar  1 12:12:53.384: Se0/0 CHAP: I CHALLENGE id 2 len 23 from "R2"
*Mar  1 12:12:53.388: Se0/0 CHAP: Using hostname from interface CHAP
*Mar  1 12:12:53.388: Se0/0 CHAP: Using password from AAA

Using hostname from interface CHAP = AUTH_R1

Now R2. Create a user and shut down the interface before configuring so the debug messages won\’t fill the screen.

R2#conf terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#username AUTH_R1 password R0ut3r
R2(config)#interface s0/0
R2(config-if)#shutdown
R2(config-if)#
*Mar  1 17:09:13.659: %LINK-5-CHANGED: Interface Serial0/0, changed state to administratively down

Set the username to send out and enable debugging.

R2

R2(config-if)#ppp chap hostname AUTH_R2
R2(config-if)#do debug ppp authentication
PPP authentication debugging is on

The do command can be used to execute EXEC level commands from global configuration or other modes. It requires IOS version 12.0(20)S or higher.

Now enable the interface

R2(config-if)#no shutdown
R2(config-if)#
*Mar  1 17:10:40.389: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 17:10:40.389: Se0/0 PPP: Using default call direction
*Mar  1 17:10:40.389: Se0/0 PPP: Treating connection as a dedicated line
*Mar  1 17:10:40.393: Se0/0 PPP: Session handle[A8000093] Session id[146]
*Mar  1 17:10:40.393: Se0/0 PPP: Authorization required
*Mar  1 17:10:40.401: Se0/0 CHAP: O CHALLENGE id 136 len 28 from "AUTH_R2"
*Mar  1 17:10:40.401: Se0/0 CHAP: I CHALLENGE id 139 len 28 from "AUTH_R1"
*Mar  1 17:10:40.409: Se0/0 CHAP: Using hostname from interface CHAP
*Mar  1 17:10:40.409: Se0/0 CHAP: Using password from AAA
*Mar  1 17:10:40.409: Se0/0 CHAP: O RESPONSE id 139 len 28 from "AUTH_R2"
*Mar  1 17:10:40.413: Se0/0 CHAP: I RESPONSE id 136 len 28 from "AUTH_R1"
*Mar  1 17:10:40.417: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar  1 17:10:40.421: Se0/0 PPP: Received LOGIN Response PASS
*Mar  1 17:10:40.421: Se0/0 CHAP: I SUCCESS id 139 len 4
*Mar  1 17:10:40.425: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar  1 17:10:40.429: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar  1 17:10:40.433: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar  1 17:10:40.433: Se0/0 IPCP: Received AAA AUTHOR Response PASS
*Mar  1 17:10:40.433: Se0/0 CHAP: O SUCCESS id 136 len 4
*Mar  1 17:10:40.437: Se0/0 PPP: Sent CDPCP AUTHOR Request
*Mar  1 17:10:40.441: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar  1 17:10:40.449: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar  1 17:10:41.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up

And here it is, the whole process in front of your eyes! First the interface comes up, then the negotiation begins using the name we set on the interface and the password from the local user account. Finally the line protocol comes up.

verification

You should be able to ping one router from the other and you can check the running configuration.

R2#show run | section interface Serial0/0
interface Serial0/0
 description LINK TO R1
 ip address 192.168.1.2 255.255.255.252
 encapsulation ppp
 clock rate 128000
 ppp authentication chap
 ppp chap hostname AUTH_R2
R2#

commands explained

Commands used with a brief explanation.

debug ppp authentication: Enables debugging of ppp authentication
username AUTH_R2 password R0ut3r: Creates a user called R2 with a password C1sc0
ppp chap hostname AUTH_R1: Creates a user called AUTH_R1 with a password R0ut3r
do debug ppp authentication: Enables debugging from interface configuration mode
show run | section interface Serial0/0: Shows the Serial0/0 section of the running configuration

Categories:CiscoSecurity

Tags:

Sisko Warrior

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.