Friday, 18 March 2011

PPP Authentication - PAP and CHAP

I don't really use serial interfaces in my day-to-day job so when it comes to lab questions regarding PPP, HDLC, and Frame Relay I am immediately horrified.

Here's the question given:

1. Enable PPP encapsulation for the Serial link connecting R4 and R5 and use the IP subnet 155.1.45.0/24 for this link.

2. R4 should attempt to authenticate R5 using PAP and then CHAP. R5 should refuse PAP authentication and use CHAP.

3. Make sure R4 uses an alternate CHAP hostname R4CHAP.

4. Use the name R5CHAP and the password of CISCO to accomplish this.

5. R5 should authenticate R4 using PAP only. R4 should use the name R4PPP and the password of CISCO.

Let's say that s0/0 is the interface at either end and R4 is the DCE.

Step 1:

Apply PPP, clock rate on R4, and IP address.

R4:

interface s0/0
encapsulation ppp
clock rate 64000
ip address 155.1.45.4 255.255.255.0


R5:

interface s0/0
encapsulation ppp
ip address 155.1.45.5 255.255.255.0


Step 2:

R4 needs to authenticate R5 using PAP, and if it is refused, should use CHAP. R5 will be configured to refuse PAP authentication from R4.

R4:

interface s0/0
encapsulation ppp
clock rate 64000
ip address 155.1.45.4 255.255.255.0
ppp authentication pap chap

R5:

interface s0/0
encapsulation ppp
ip address 155.1.45.5 255.255.255.0
ppp pap refuse

Step 3:

R4 needs to specify a CHAP hostname of R4CHAP. If this wasn't specified then the CHAP hostname would be set as the hostname of the router (in this case, R4).

R4:

interface s0/0
encapsulation ppp
clock rate 64000
ip address 155.1.45.4 255.255.255.0
ppp authentication pap chap
ppp chap hostname R4CHAP

R5:

interface s0/0
encapsulation ppp
ip address 155.1.45.5 255.255.255.0
ppp pap refuse

Step 4:

R5 should respond with a CHAP hostname of R5CHAP and a CHAP password of CISCO. Therefore on R4 we must configure a username/password pair for R5's details. What isn't obvious is that R5 needs a username/password pair for R4's details. In this case the R4 CHAP hostname is R4CHAP and the password must match R5's CHAP password which is CISCO.

R4:

username R5CHAP password CISCO
!
interface s0/0
encapsulation ppp
clock rate 64000
ip address 155.1.45.4 255.255.255.0
ppp authentication pap chap
ppp chap hostname R4CHAP

R5:

username R4CHAP password CISCO
!
interface s0/0
encapsulation ppp
ip address 155.1.45.5 255.255.255.0
ppp pap refuse
ppp chap hostname R5CHAP

Step 5:

R5 wants to authenticate R4 using PAP and R4 responds with a PAP username of R4PPP and a PAP password of CISCO.

R4:

username R5CHAP password CISCO
!
interface s0/0
encapsulation ppp
clock rate 64000
ip address 155.1.45.4 255.255.255.0
ppp authentication pap chap
ppp chap hostname R4CHAP
ppp pap sent-username R4PPP password CISCO

R5:

username R4CHAP password CISCO
!
interface s0/0
encapsulation ppp
ip address 155.1.45.5 255.255.255.0
ppp pap refuse
ppp chap hostname R5CHAP
ppp authentication pap

That's it. Not too bad but worth working through to see how it all fits together.

No comments:

Post a Comment