PPP over Frame-relay with CHAP

Another task I had trouble with in Mock Lab 1 was 2.2 which is a PPP over FR task.

Here it is:

"For the connection between R4 and R5, use a PPP over frame configuration with RFC 1973 encapsulation. The connection should use CHAP authentication. For authentication both devices should use a username of T3ST123 and a password of PPPoverFr@m3. Both sides should challenge an respond."

I got PPP over FR to work fine, but when I enabled authentication it wasn't working so I skipped the task, instead just going for reachability.

Here I try it again. First, just with PPP over FR and no auth:

R4:

R4(config)#int virtual-template 1
R4(config-if)#ip address 141.141.45.4 255.255.255.0
R4(config-if)#exit
R4(config)#int s1/0
R4(config-if)#encapsulation frame-relay
R4(config-if)#frame-relay interface-dlci 405 ppp virtual-Template 1
R4(config-if)#frame-relay map ip 141.141.45.5 405 broadcast
R4(config-if)#no shut

R5:

R5(config)#int virtual-template 1
R5(config-if)#ip address 141.141.45.5 255.255.255.0
R5(config-if)#exit
R5(config)#int s1/0
R5(config-if)#encapsulation frame-relay
R5(config-if)#int s1/0.2 multipoint
R5(config-subif)#frame-relay interface-dlci 504 ppp virtual-Template 1
R5(config-subif)#frame-relay map ip 141.141.45.4 504 broadcast
R5(config-subif)#int s1/0
R5(config-if)#no shut

Verify:

R4#ping 141.141.45.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 141.141.45.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/38/92 ms
R4#

Easy enough, right? Let's add CHAP:

R4(config)#username T3ST123 password PPPoverFr@m3
R4(config)#int virtual-template 1
R4(config-if)#ppp authentication chap
R4(config-if)#ppp chap hostname T3ST123
R4(config-if)#ppp chap password PPPoverFr@m3

R5(config)#username T3ST123 password PPPoverFr@m3
R5(config)#int virtual-template 1
R5(config-if)#ppp authentication chap
R5(config-if)#ppp chap hostname T3ST123
R5(config-if)#ppp chap password PPPoverFr@m3

Notice the error we get when we try and bring up the link. R4 is ignoring the username because that's what it is using:

R4#debug ppp authentication
PPP authentication debugging is on
R4#ping 141.141.45.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 141.141.45.5, timeout is 2 seconds:

*Mar 1 00:14:42.211: Vi1 CHAP: I CHALLENGE id 18 len 28 from "T3ST123"
*Mar 1 00:14:42.211: Vi1 CHAP: Ignoring Challenge with local name
*Mar 1 00:14:42.247: Vi1 AUTH: Timeout 2
*Mar 1 00:14:42.247: Vi1 CHAP: O CHALLENGE id 27 len 28 from "T3ST123"
*Mar 1 00:14:52.247: Vi1 CHAP: I CHALLENGE id 19 len 28 from "T3ST123"
*Mar 1 00:14:52.247: Vi1 CHAP: Ignoring Challenge with local name
*Mar 1 00:14:52.263: Vi1 AUTH: Timeout 3
*Mar 1 00:14:52.263: Vi1 CHAP: O CHALLENGE id 28 len 28 from "T3ST123"
*Mar 1 00:15:02.271: Vi1 CHAP: I CHALLENGE id 20 len 28 from "T3ST123"
*Mar 1 00:15:02.271: Vi1 CHAP: Ignoring Challenge with local name

What's the answer? Well it turns out the command is not documented very well. I actually gave up and looked in the procotor guide:

R4(config)#int virtual-template 1
R4(config-if)#no ppp chap ignoreus

R5(config)#int virtual-template 1
R5(config-if)#no ppp chap ignoreus

The option doesn't even show up in context-sensitive help:

R4(config-if)#ppp chap ?
hostname Set alternate CHAP hostname
password Set default CHAP password
refuse Refuse to authenticate using CHAP
wait Wait for caller to authenticate first

In fact, I didn't find any mention of it on the DocCD and only 3 results came up in Google! One of them was this link:

Understanding and Configuring PPP CHAP Authentication

Well I guess that's how it goes in the life of a CCIE candidate