Monday, July 21, 2008

PPP over Frame-relay with CHAP

Another task I had trouble with in Mock Lab 1 was 2.2 which is a PPP over FR task.

Here it is:

"For the connection between R4 and R5, use a PPP over frame configuration with RFC 1973 encapsulation. The connection should use CHAP authentication. For authentication both devices should use a username of T3ST123 and a password of PPPoverFr@m3. Both sides should challenge an respond."

I got PPP over FR to work fine, but when I enabled authentication it wasn't working so I skipped the task, instead just going for reachability.

Here I try it again. First, just with PPP over FR and no auth:

R4:

R4(config)#int virtual-template 1
R4(config-if)#ip address 141.141.45.4 255.255.255.0
R4(config-if)#exit
R4(config)#int s1/0
R4(config-if)#encapsulation frame-relay
R4(config-if)#frame-relay interface-dlci 405 ppp virtual-Template 1
R4(config-if)#frame-relay map ip 141.141.45.5 405 broadcast
R4(config-if)#no shut


R5:

R5(config)#int virtual-template 1
R5(config-if)#ip address 141.141.45.5 255.255.255.0
R5(config-if)#exit
R5(config)#int s1/0
R5(config-if)#encapsulation frame-relay
R5(config-if)#int s1/0.2 multipoint
R5(config-subif)#frame-relay interface-dlci 504 ppp virtual-Template 1
R5(config-subif)#frame-relay map ip 141.141.45.4 504 broadcast
R5(config-subif)#int s1/0
R5(config-if)#no shut


Verify:

R4#ping 141.141.45.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 141.141.45.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/38/92 ms
R4#

Easy enough, right? Let's add CHAP:

R4(config)#username T3ST123 password PPPoverFr@m3
R4(config)#int virtual-template 1
R4(config-if)#ppp authentication chap
R4(config-if)#ppp chap hostname T3ST123
R4(config-if)#ppp chap password PPPoverFr@m3

R5(config)#username T3ST123 password PPPoverFr@m3
R5(config)#int virtual-template 1
R5(config-if)#ppp authentication chap
R5(config-if)#ppp chap hostname T3ST123
R5(config-if)#ppp chap password PPPoverFr@m3


Notice the error we get when we try and bring up the link. R4 is ignoring the username because that's what it is using:

R4#debug ppp authentication
PPP authentication debugging is on
R4#ping 141.141.45.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 141.141.45.5, timeout is 2 seconds:

*Mar 1 00:14:42.211: Vi1 CHAP: I CHALLENGE id 18 len 28 from "T3ST123"
*Mar 1 00:14:42.211: Vi1 CHAP: Ignoring Challenge with local name
*Mar 1 00:14:42.247: Vi1 AUTH: Timeout 2
*Mar 1 00:14:42.247: Vi1 CHAP: O CHALLENGE id 27 len 28 from "T3ST123"
*Mar 1 00:14:52.247: Vi1 CHAP: I CHALLENGE id 19 len 28 from "T3ST123"
*Mar 1 00:14:52.247: Vi1 CHAP: Ignoring Challenge with local name
*Mar 1 00:14:52.263: Vi1 AUTH: Timeout 3
*Mar 1 00:14:52.263: Vi1 CHAP: O CHALLENGE id 28 len 28 from "T3ST123"
*Mar 1 00:15:02.271: Vi1 CHAP: I CHALLENGE id 20 len 28 from "T3ST123"
*Mar 1 00:15:02.271: Vi1 CHAP: Ignoring Challenge with local name


What's the answer? Well it turns out the command is not documented very well. I actually gave up and looked in the procotor guide:

R4(config)#int virtual-template 1
R4(config-if)#no ppp chap ignoreus

R5(config)#int virtual-template 1
R5(config-if)#no ppp chap ignoreus


The option doesn't even show up in context-sensitive help:

R4(config-if)#ppp chap ?
hostname Set alternate CHAP hostname
password Set default CHAP password
refuse Refuse to authenticate using CHAP
wait Wait for caller to authenticate first


In fact, I didn't find any mention of it on the DocCD and only 3 results came up in Google! One of them was this link:

Understanding and Configuring PPP CHAP Authentication

Well I guess that's how it goes in the life of a CCIE candidate

6 comments:

  1. Thanks dude... Holy Crap! I have the PG in front of me and would have never figured that out!

    ReplyDelete
  2. thanks man. been racking my brain trying to figure out why i was getting that error...

    ReplyDelete
  3. I spent so much time trying to figure out a similar case. Thanks!

    ReplyDelete
  4. thanks ... this is a killer..

    ReplyDelete
  5. you can not config the same hostname(T3ST123) in both routers.

    ReplyDelete
  6. Thanks.... the missing command ppp chap ignoreus

    This is my summary of understanding PPP CHAP PASSWORD command

    R1 ----- R2
    R1 will challenge the MD5 with R2

    R1 Configuration
    Config T
    username R2 password LEMONTEE
    interface serial 0/0
    encapsulation ppp
    ip add 10.0.0.1 255.255.255.0
    ppp authentication chap
    no shut

    R2 configuration
    Config T

    interface serial 0/0
    encapsulation ppp
    ip add 10.0.0.1 255.255.255.0
    ppp chap password LEMONTEE
    no ppp chap ignoreus
    no shut

    ReplyDelete

Note: Only a member of this blog may post a comment.