Options
CHAP authentication with secret passwords
WastedHat
Member Posts: 132 ■■■□□□□□□□
in CCNA & CCENT
Should CHAP authentication work with secret passwords? I'm only able to configure it using local plain text passwords with the 'username' command. Currently using:
(C3725-ADVENTERPRISEK9-M), Version 12.4(15)T14 on GNS3
(C3725-ADVENTERPRISEK9-M), Version 12.4(15)T14 on GNS3
Comments
-
Options
rob42
Member Posts: 423
Alright there; it's nice to find another UK member on here
Your question demonstrates that you're someway ahead of me, but, as it happens, I have been reading about PPP/PAP/CHAP today, and so far as I can tell, from what I've read and (I hope) understood, the plain-text passwords (I say 'passwords', because the Routers at either end of the PPP connection need to have the same password) are hashed using MD5. The remote device then sends a value calculated using the oneway hash function and the local router checks this hash value to make sure it matches: If the values don’t match, the link is immediately dropped.
You could encrypt the password on a Cisco router (I can't speak for other makes as I have no experience) with the service password-encryption command, but as you probably know, this will only put off the nosey, not the determined.
I'd be interested to know what part of the UK you're from?
Cheers.No longer an active member -
Options
robo78
Member Posts: 37 ■■■□□□□□□□
I tried PPP with CHAP few day ago with the username cisco secret cisco command on real gear in my lab and did not worked.
With username cisco password cisco worked just fine.Working on: Linux+ -
OptionsWastedHat
Member Posts: 132 ■■■□□□□□□□
Alright there; it's nice to find another UK member on here
I'd be interested to know what part of the UK you're from?
Cheers.
Hi sorry about the late response, I'm away from home at the moment but I'm normally based near Edinburgh. What about yourself?I tried PPP with CHAP few day ago with the username cisco secret cisco command on real gear in my lab and did not worked.
With username cisco password cisco worked just fine.
What IOS are you using? I'm waiting to get back home to test it on my lab with IOS 15. Would be strange if it isn't allowed. -
Optionsrob42
Member Posts: 423
Hi sorry about the late response, I'm away from home at the moment but I'm normally based near Edinburgh. What about yourself?
A wee bit further South - Durham.
Best regards to you.No longer an active member -
Optionspinkiaiii
Member Posts: 216
text from my notes about configuring chap authentication:
Configuring CHAP Authentication
CHAP periodically verifies the identity of the remote node using a three-way handshake. The hostname on one router must match the username the other router has configured. The passwords must also match. This occurs on initial link establishment and can be repeated any time after the link has been established. Figure 3 is an example of a CHAP configuration.
So to put it simply when doing config you use username on say R1 as username R2 password cisco and on router 2 use
username R1 password cisco1.
And heres more what you might be missing is message digest md5
After authentication is established with PAP, it does not re-authenticate. This leaves the network vulnerable to attack. Unlike PAP, which only authenticates once, CHAP conducts periodic challenges to make sure that the remote node still has a valid password value. The password value is variable and changes unpredictably while the link exists.
After the PPP link establishment phase is complete, the local router sends a challenge message to the remote node, as shown in Figure 1.
The remote node responds with a value calculated using a one-way hash function, which is typically Message Digest 5 (MD5) based on the password and challenge message, as shown in Figure 2.
The local router checks the response against its own calculation of the expected hash value. If the values match, the initiating node acknowledges the authentication, as shown in Figure 3. If the value does not match, the initiating node immediately terminates the connection.
CHAP provides protection against playback attack by using a variable challenge value that is unique and unpredictable. Because the challenge is unique and random, the resulting hash value is also unique and random. The use of repeated challenges limits the time of exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.