Monday, January 12, 2009

PPP Authentication with MD5

I had a task this weekend that asked to authenticate PPP via Md5. I did a context sensitive help and saw this:

R2(config-if)#ppp authentication ?
chap Challenge Handshake Authentication Protocol (CHAP)
eap Extensible Authentication Protocol (EAP)
ms-chap Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
ms-chap-v2 Microsoft CHAP Version 2 (MS-CHAP-V2)
pap Password Authentication Protocol (PAP)

Doesn't look like there is an Md5 option...or is there? I looked up the ppp authentication commands in the DocCD:

-12.4 Mainline
-Master Index
-Cisco IOS Master Command List, All Releases
-ppp authentication MWP-147, SEC-1481

Click the SEC-1481 link

Now is where I used the browser search to look for "Md5." Not sure if this is possible in the lab so you may have to quickly scan with your eyes. The only hit comes up under "ppp eap local" command. You will see this phrase:

"In local mode, the EAP session is authenticated using the MD5 algorithm and obeys the same authentication rules as does Challenge Handshake Authentication Protocol (CHAP)."


So now that we know what mode we need everything else is easy, and it works just like CHAP. On both sides:

username R5 password cisco

interface Serial1/1
ip address
encapsulation ppp
ppp authentication eap
ppp eap password 0 cisco
ppp eap local

Always verify just to make sure it's working:

R2#debug ppp authentication

*Mar 1 00:34:34.779: Se1/1 PPP: Using default call direction
*Mar 1 00:34:34.783: Se1/1 PPP: Treating connection as a dedicated line
*Mar 1 00:34:34.783: Se1/1 PPP: Session handle[9700001A] Session id[32]
*Mar 1 00:34:34.787: Se1/1 PPP: Authorization required
*Mar 1 00:34:34.967: Se1/1 EAP: O REQUEST IDENTITY id 50 len 5
*Mar 1 00:34:35.015: Se1/1 EAP: I REQUEST IDENTITY id 19 len 5
*Mar 1 00:34:35.015: Se1/1 EAP: O RESPONSE IDENTITY id 19 len 7 from "R2"
*Mar 1 00:34:35.123: Se1/1 EAP: I RESPONSE IDENTITY id 50 len 7 from "R5"
*Mar 1 00:34:35.127: Se1/1 EAP: O REQUEST MD5 id 51 len 24 from "R2"
*Mar 1 00:34:35.131: Se1/1 EAP: I REQUEST MD5 id 20 len 24 from "R5"
*Mar 1 00:34:35.147: Se1/1 EAP: Using hostname from unknown source
*Mar 1 00:34:35.151: Se1/1 EAP: Using password from interface EAP
*Mar 1 00:34:35.151: Se1/1 EAP: O RESPONSE MD5 id 20 len 24 from "R2"
*Mar 1 00:34:35.435: Se1/1 EAP: I RESPONSE MD5 id 51 len 24 from "R5"
*Mar 1 00:34:35.451: Se1/1 PPP: Sent CHAP LOGIN Request
*Mar 1 00:34:35.455: Se1/1 EAP: I SUCCESS id 20 len 4
*Mar 1 00:34:35.463: Se1/1 PPP: Received LOGIN Response PASS
*Mar 1 00:34:35.475: Se1/1 PPP: Sent LCP AUTHOR Request
*Mar 1 00:34:35.483: Se1/1 PPP: Sent IPCP AUTHOR Req
*Mar 1 00:34:35.495: Se1/1 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:34:35.499: Se1/1 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:34:35.499: Se1/1 EAP: O SUCCESS id 51 len 4
*Mar 1 00:34:35.507: Se1/1 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:34:35.519: Se1/1 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:34:35.543: Se1/1 PPP: Sent IPCP AUTHOR Request

*Mar 1 00:34:36.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up

You can see above that we have incoming and outgoing MD5 reposnses and the requests pass.

1 comment:

Note: Only a member of this blog may post a comment.