Monday, July 21, 2008

PPP over Frame-relay with CHAP

Another task I had trouble with in Mock Lab 1 was 2.2 which is a PPP over FR task.

Here it is:

"For the connection between R4 and R5, use a PPP over frame configuration with RFC 1973 encapsulation. The connection should use CHAP authentication. For authentication both devices should use a username of T3ST123 and a password of PPPoverFr@m3. Both sides should challenge an respond."

I got PPP over FR to work fine, but when I enabled authentication it wasn't working so I skipped the task, instead just going for reachability.

Here I try it again. First, just with PPP over FR and no auth:


R4(config)#int virtual-template 1
R4(config-if)#ip address
R4(config)#int s1/0
R4(config-if)#encapsulation frame-relay
R4(config-if)#frame-relay interface-dlci 405 ppp virtual-Template 1
R4(config-if)#frame-relay map ip 405 broadcast
R4(config-if)#no shut


R5(config)#int virtual-template 1
R5(config-if)#ip address
R5(config)#int s1/0
R5(config-if)#encapsulation frame-relay
R5(config-if)#int s1/0.2 multipoint
R5(config-subif)#frame-relay interface-dlci 504 ppp virtual-Template 1
R5(config-subif)#frame-relay map ip 504 broadcast
R5(config-subif)#int s1/0
R5(config-if)#no shut



Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/38/92 ms

Easy enough, right? Let's add CHAP:

R4(config)#username T3ST123 password PPPoverFr@m3
R4(config)#int virtual-template 1
R4(config-if)#ppp authentication chap
R4(config-if)#ppp chap hostname T3ST123
R4(config-if)#ppp chap password PPPoverFr@m3

R5(config)#username T3ST123 password PPPoverFr@m3
R5(config)#int virtual-template 1
R5(config-if)#ppp authentication chap
R5(config-if)#ppp chap hostname T3ST123
R5(config-if)#ppp chap password PPPoverFr@m3

Notice the error we get when we try and bring up the link. R4 is ignoring the username because that's what it is using:

R4#debug ppp authentication
PPP authentication debugging is on

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

*Mar 1 00:14:42.211: Vi1 CHAP: I CHALLENGE id 18 len 28 from "T3ST123"
*Mar 1 00:14:42.211: Vi1 CHAP: Ignoring Challenge with local name
*Mar 1 00:14:42.247: Vi1 AUTH: Timeout 2
*Mar 1 00:14:42.247: Vi1 CHAP: O CHALLENGE id 27 len 28 from "T3ST123"
*Mar 1 00:14:52.247: Vi1 CHAP: I CHALLENGE id 19 len 28 from "T3ST123"
*Mar 1 00:14:52.247: Vi1 CHAP: Ignoring Challenge with local name
*Mar 1 00:14:52.263: Vi1 AUTH: Timeout 3
*Mar 1 00:14:52.263: Vi1 CHAP: O CHALLENGE id 28 len 28 from "T3ST123"
*Mar 1 00:15:02.271: Vi1 CHAP: I CHALLENGE id 20 len 28 from "T3ST123"
*Mar 1 00:15:02.271: Vi1 CHAP: Ignoring Challenge with local name

What's the answer? Well it turns out the command is not documented very well. I actually gave up and looked in the procotor guide:

R4(config)#int virtual-template 1
R4(config-if)#no ppp chap ignoreus

R5(config)#int virtual-template 1
R5(config-if)#no ppp chap ignoreus

The option doesn't even show up in context-sensitive help:

R4(config-if)#ppp chap ?
hostname Set alternate CHAP hostname
password Set default CHAP password
refuse Refuse to authenticate using CHAP
wait Wait for caller to authenticate first

In fact, I didn't find any mention of it on the DocCD and only 3 results came up in Google! One of them was this link:

Understanding and Configuring PPP CHAP Authentication

Well I guess that's how it goes in the life of a CCIE candidate


  1. Thanks dude... Holy Crap! I have the PG in front of me and would have never figured that out!

  2. thanks man. been racking my brain trying to figure out why i was getting that error...

  3. I spent so much time trying to figure out a similar case. Thanks!

  4. thanks ... this is a killer..

  5. you can not config the same hostname(T3ST123) in both routers.

  6. Thanks.... the missing command ppp chap ignoreus

    This is my summary of understanding PPP CHAP PASSWORD command

    R1 ----- R2
    R1 will challenge the MD5 with R2

    R1 Configuration
    Config T
    username R2 password LEMONTEE
    interface serial 0/0
    encapsulation ppp
    ip add
    ppp authentication chap
    no shut

    R2 configuration
    Config T

    interface serial 0/0
    encapsulation ppp
    ip add
    ppp chap password LEMONTEE
    no ppp chap ignoreus
    no shut


Note: Only a member of this blog may post a comment.