PAP authentication question

rjbarlow · June 2007

Hi all, I'm trying to configure an unidirectional PAP authentication, but I don't succeed.
Situation is that: router2 must authenticate router1.
My configurations:

Router1 ("sh run"):
!
Version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router1
!
!
ip subnet-zero
!
!
!
interface Serial1/0
ip address 1.1.1.1 255.255.255.252
no ip directed-broadcast
bandwidth 64
encapsulation ppp
ppp authentication pap callin
ppp pap sent-username hanna password aaaa
!

On router2:
!
Version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router2
!
username hanna password aaaa
!
!
ip subnet-zero
!
!
!
interface Serial1/0
ip address 1.1.1.2 255.255.255.252
no ip directed-broadcast
bandwidth 64
encapsulation ppp
ppp authentication pap
!

From the documentation I thought with the command "callin" I designated the interface of the router that ask to be authenticated, but evidently is not so or at least not enough to set so that works.

Advices on where I mistake?

Moreover I wanted to ask if you thoughts on the ccna exam they find this type of questions (if no i'll pass over).

Thank You.

r_durant · June 2007

Question...do you have the two routers setup in a back-to-back scenario? With a serial cable, one side DTE and the other DCE? If so, you don't have any of the routers setup as the DCE to provide the clocking...using the 'clock rate' command...or maybe that's not required

Just trying out my troubleshooting skills here...maybe one of the more skilled guys can interject...

Can you ping from one serial interface to the other?

dtlokee · June 2007

You have router 2 configured to authenticate router 1 and router 1 configured to authenticate router 2 however you do not have a uername/password on router 1 for router 2, the callin option will cause router 1 to only authenticate incomming connections and will reject authentication requests from router 2.

I would:

1. Add a user account to router 1 to authenticate router 2
2. Add the "ppp pap sent-username xxxxx password yyy" command to R2
3. Remove the callin parameter.

If the goal is to have one side authenticate the other (one way) then only put then ppp authentication pap command on the side you want to prompt the other side for authentication (this would be an example like when you dial into an isp and the isp router authenticates you but you do not authenticate the router)

for this you would need to remove the "ppp authentication pap" from router 2 and the callin parameter from router 1

HTH

r_durant · June 2007

Well, there you go...I haven't reached PPP/PAP configs yet, so I was going at it from a connectivity point of view...

rjbarlow · June 2007

r_durant wrote:

Well, there you go...I haven't reached PPP/PAP configs yet, so I was going at it from a connectivity point of view...

Hi durant, don't worry, I'm using Boson netsim for this lab, DCE and DTE are set up well, but with configuration above don't work... Ping also not works...

rjbarlow · June 2007

dtlokee wrote:

You have router 2 configured to authenticate router 1 and router 1 configured to authenticate router 2 however you do not have a uername/password on router 1 for router 2, the callin option will cause router 1 to only authenticate incomming connections and will reject authentication requests from router 2.

I would:

1. Add a user account to router 1 to authenticate router 2
2. Add the "ppp pap sent-username xxxxx password yyy" command to R2
3. Remove the callin parameter.

If the goal is to have one side authenticate the other (one way) then only put then ppp authentication pap command on the side you want to prompt the other side for authentication (this would be an example like when you dial into an isp and the isp router authenticates you but you do not authenticate the router)

for this you would need to remove the "ppp authentication pap" from router 2 and the callin parameter from router 1

HTH

Hi dtlokee, i'll try soon and I will let you know. Thanks much while.

dtlokee · June 2007

If the PPP authentication is incorrect the line protocol (ppp) cannot come up so no layer 2, therefore nothing else will work above that (including ping and any app layer protocols)

HTH

r_durant · June 2007

rjbarlow wrote:

...DCE and DTE are set up well, but with configuration above don't work... Ping also not works...

Just curious as to why the clock rate info doesn't show up in the config??

rjbarlow · June 2007

r_durant wrote:

Just curious as to why the clock rate info doesn't show up in the config??

In show run output is represented from: "bandwidth 64", however that's only the parameter I set in the igrp configuration, but without the tests for PAP authentication all network worked well as the ping.

This is an excerpt of show int s1/0

router2#show int s1/0

Serial1/0 is up, line protocol is up
Hardware is HD64570
Internet address is 1.1.1.2/30
MTU 1500 bytes, BW 64 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)

BW 64 Kbit is the same.

dpocoroba · June 2007

64000bps is the default clock rate thats why it does not show up in the config

"show controllers serial x" will show you the clock rate for an interface

Bandwidth is only in reference to QoS and metric calculations.

HTH
DP

rjbarlow · June 2007

dtlokee wrote:

If the goal is to have one side authenticate the other (one way) then only put then ppp authentication pap command on the side you want to prompt the other side for authentication (this would be an example like when you dial into an isp and the isp router authenticates you but you do not authenticate the router)

for this you would need to remove the "ppp authentication pap" from router 2 and the callin parameter from router 1HTH

Hi, I have issued all these commands and tried various other solutions but it still don't works.

I have tried for bidirectional authentication and instead it works well.

If I omit the ppp authentication pap command on any one of the interested interface of the two routers, both comes into a down and down status.

Any other advice in order to resolve this stuff would be appreciated.

rjbarlow

iproute · June 2007

dpocoroba wrote:

64000bps is the default clock rate thats why it does not show up in the config

"show controllers serial x" will show you the clock rate for an interface

Bandwidth is only in reference to QoS and metric calculations.

HTH
DP

When I set clock rate to 64000, it still shows it in the running config. I'd make sure that the "clock rate 64000" command has been issued at the serial interface configuration mode on the DCE device.

Also, as others have mentioned, bandwidth and clock rate are not the same thing. You need to use the clock rate command here.

Edit:

interface Serial0/1
 ip address 172.26.26.114 255.255.255.240
 encapsulation ppp
 clockrate 64000
 ppp authentication chap

PAP authentication question

Comments