CHAP authentication with secret passwords

Should CHAP authentication work with secret passwords? I'm only able to configure it using local plain text passwords with the 'username' command. Currently using:

(C3725-ADVENTERPRISEK9-M), Version 12.4(15)T14 on GNS3

Find more posts tagged with

Comments

rob42

Alright there; it's nice to find another UK member on here

Your question demonstrates that you're someway ahead of me, but, as it happens, I have been reading about PPP/PAP/CHAP today, and so far as I can tell, from what I've read and (I hope) understood, the plain-text passwords (I say 'passwords', because the Routers at either end of the PPP connection need to have the same password) are hashed using MD5. The remote device then sends a value calculated using the oneway hash function and the local router checks this hash value to make sure it matches: If the values don’t match, the link is immediately dropped.

You could encrypt the password on a Cisco router (I can't speak for other makes as I have no experience) with the service password-encryption command, but as you probably know, this will only put off the nosey, not the determined.

I'd be interested to know what part of the UK you're from?

Cheers.

robo78

I tried PPP with CHAP few day ago with the username cisco secret cisco command on real gear in my lab and did not worked.
With username cisco password cisco worked just fine.

WastedHat

rob42 wrote: »

Alright there; it's nice to find another UK member on here

I'd be interested to know what part of the UK you're from?

Cheers.

Hi sorry about the late response, I'm away from home at the moment but I'm normally based near Edinburgh. What about yourself?

robo78 wrote: »

I tried PPP with CHAP few day ago with the username cisco secret cisco command on real gear in my lab and did not worked.
With username cisco password cisco worked just fine.

What IOS are you using? I'm waiting to get back home to test it on my lab with IOS 15. Would be strange if it isn't allowed.

rob42

WastedHat wrote: »

Hi sorry about the late response, I'm away from home at the moment but I'm normally based near Edinburgh. What about yourself?

A wee bit further South - Durham.

Best regards to you.

pinkiaiii

text from my notes about configuring chap authentication:

Configuring CHAP Authentication
CHAP periodically verifies the identity of the remote node using a three-way handshake. The hostname on one router must match the username the other router has configured. The passwords must also match. This occurs on initial link establishment and can be repeated any time after the link has been established. Figure 3 is an example of a CHAP configuration.

So to put it simply when doing config you use username on say R1 as username R2 password cisco and on router 2 use
username R1 password cisco1.

And heres more what you might be missing is message digest md5

After authentication is established with PAP, it does not re-authenticate. This leaves the network vulnerable to attack. Unlike PAP, which only authenticates once, CHAP conducts periodic challenges to make sure that the remote node still has a valid password value. The password value is variable and changes unpredictably while the link exists.
After the PPP link establishment phase is complete, the local router sends a challenge message to the remote node, as shown in Figure 1.
The remote node responds with a value calculated using a one-way hash function, which is typically Message Digest 5 (MD5) based on the password and challenge message, as shown in Figure 2.
The local router checks the response against its own calculation of the expected hash value. If the values match, the initiating node acknowledges the authentication, as shown in Figure 3. If the value does not match, the initiating node immediately terminates the connection.
CHAP provides protection against playback attack by using a variable challenge value that is unique and unpredictable. Because the challenge is unique and random, the resulting hash value is also unique and random. The use of repeated challenges limits the time of exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.