PPP Authentication PAP

r_durantr_durant Member Posts: 486 ■■■□□□□□□□
Ok, I have a simple, but strange one here...

Configuring PPP with PAP and CHAP on two 2600 routers...However, when I use PAP, the line doesn't come up, with CHAP it's fine...

If i change the line "ppp authentication pap" to "ppp authentication chap"...boom, it comes up!!

Configs...
hostname 2610
username 2621 password 0 creamed
!
interface Serial0/0
 ip address 192.168.99.1 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 clockrate 64000
 ppp authentication pap 
hostname 2621
username 2610 password 0 creamed
!
interface Serial0/0
 ip address 192.168.99.2 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 ppp authentication pap  

So, as i said if i change the encap from pap to chap, it comes up...am i missing something or is something screwed with routers? icon_confused.gif
CCNA (Expired...), MCSE, CWNA, BSc Computer Science
Working on renewing CCNA!

Comments

  • mikearamamikearama Member Posts: 749
    Config looks good.

    hey, with chap running, how about turning on debugging, then go back to pap, and we'll see where the process fails...

    debug ppp negotiation
    debug ppp authentication

    Post us up the results... could be interesting.

    Mike
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • mikearamamikearama Member Posts: 749
    Ah... different user names. Don't they need to be identical?

    IE, you have
    username 2621 on one,
    and username 2610 on the other.

    Match them up.

    Or, make sure you have username 2621 AND username 2610 entered on both systems.

    Mike
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • r_durantr_durant Member Posts: 486 ■■■□□□□□□□
    Well, remember it works with CHAP...

    But i think you should have the username of the remote router on the local router, i think that only the passwords should be identical...So you're saying put both?

    Here's a caption of what the debugs outputted from the 2610...it was scrolling too fast for me to capture it from the beginning...
    0:55:36: Se0/0 LCP: I CONFREQ [REQsent] id 169 len 14
    00:55:36: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:36: Se0/0 LCP:    MagicNumber 0x0416E44D (0x05060416E44D)
    00:55:36: Se0/0 LCP: O CONFREJ [REQsent] id 169 len 8
    00:55:36: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:36: Se0/0 LCP: I CONFREJ [REQsent] id 58 len 8
    00:55:36: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:36: Se0/0 LCP: Failed to negotiate with peer
    00:55:36: Se0/0 LCP: State is Closed
    00:55:36: Se0/0 PPP: Phase is DOWN
    00:55:36: Se0/0 PPP: Phase is ESTABLISHING, Passive Open
    00:55:36: Se0/0 LCP: State is Listen
    00:55:38: Se0/0 LCP: I CONFREQ [Listen] id 170 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
    00:55:38: Se0/0 LCP: O CONFREQ [Listen] id 59 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
    00:55:38: Se0/0 LCP: O CONFREJ [Listen] id 170 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: I CONFNAK [REQsent] id 59 len 9
    00:55:38: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
    00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 60 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
    00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 171 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
    00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 171 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: I CONFNAK [REQsent] id 60 len 9
    00:55:38: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
    00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 61 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
    00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 172 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
    00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 172 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: I CONFNAK [REQsent] id 61 len 9
    00:55:38: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
    00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 62 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
    00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 173 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
    00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 173 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: I CONFNAK [REQsent] id 62 len 9
    00:55:38: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
    00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 63 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
    00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 174 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
    00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 174 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: I CONFNAK [REQsent] id 63 len 9
    00:55:38: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
    00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 64 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
    00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 175 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
    00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 175 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: I CONFREJ [REQsent] id 64 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 65 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
    00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 176 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
    00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 176 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: I CONFREJ [REQsent] id 65 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 66 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
    00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 177 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
    00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 177 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: I CONFREJ [REQsent] id 66 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 67 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
    00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 178 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
    00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 178 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: I CONFREJ [REQsent] id 67 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 68 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
    00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 179 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
    00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 179 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: I CONFREJ [REQsent] id 68 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 69 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
    00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 180 len 14
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
    00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 180 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: I CONFREJ [REQsent] id 69 len 8
    00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
    00:55:38: Se0/0 LCP: Failed to negotiate with peer
    00:55:38: Se0/0 LCP: State is Closed
    00:55:38: Se0/0 PPP: Phase is DOWN
    00:55:38: Se0/0 PPP: Phase is ESTABLISHING, Passive Open
    00:55:38: Se0/0 LCP: State is Listen
    00:55:40: Se0/0 LCP: TIMEout: State Listen
    
    CCNA (Expired...), MCSE, CWNA, BSc Computer Science
    Working on renewing CCNA!
  • r_durantr_durant Member Posts: 486 ■■■□□□□□□□
    mikearama wrote:
    Ah... different user names. Don't they need to be identical?

    IE, you have
    username 2621 on one,
    and username 2610 on the other.

    Match them up.

    Or, make sure you have username 2621 AND username 2610 entered on both systems.

    Mike

    Ok, i put both username/password on each router...no dice

    icon_confused.gif
    CCNA (Expired...), MCSE, CWNA, BSc Computer Science
    Working on renewing CCNA!
  • georgemcgeorgemc Member Posts: 429
    On the client side (PAP requires a client and a server) try adding:

    PPP PAP SENT-USERNAME <your_hostname> PASSWORD <password>

    On the server side use:

    USERNAME <remote_hostname> PASSWORD <matching_password>

    Let me know how this works out.


    George
    WGU BS: Business - Information Technology Management
    Start Date: 01 October 2012
    QFT1,PFIT in progress.
    TRANSFERRED/COMPLETED: AGC1,BBC1,LAE1,QBT1,LUT1,QLC1,QMC1,QLT1,IWC1,INC1,INT1,BVC1,CLC1,MGC1, CWV1 BNC1, LIT1,LWC1,QAT1,WFV1,EST1,EGC1,EGT1,IWT1,MKC1,MKT1,RWT1,FNT1,FNC1, BDC1,TPV1 REQUIRED:
  • r_durantr_durant Member Posts: 486 ■■■□□□□□□□
    georgemc wrote:
    On the client side (PAP requires a client and a server) try adding:

    PPP PAP SENT-USERNAME <your_hostname> PASSWORD <password>

    On the server side use:

    USERNAME <remote_hostname> PASSWORD <matching_password>

    Let me know how this works out.


    George

    Hey George, it still didn't work...

    On the client side...
    !
    interface Serial0/0
     ip address 192.168.99.2 255.255.255.252
     no ip directed-broadcast
     encapsulation ppp
     ppp authentication pap
     ppp pap sent-username 2621 password 7 15100E000D2F3D21
    !
    

    Also, I noticed that the client side password is encrypted and the server side isn't, i tried using "..password 0.." for unencrypted, but it still shows as 7-encrypted...

    Server side...
    username 2621 password 0 believe
    !
    interface Serial0/0
     ip address 192.168.99.1 255.255.255.252
     no ip directed-broadcast
     encapsulation ppp
     clockrate 64000
     ppp authentication pap
    

    From the 'debug ppp auth', i just get this...just this one line and nothing else...it just seems as though there's no pap authentication traversing the line at all...
    01:54:05: Se0/0 PPP: Treating connection as a dedicated line
    

    Long shot, but could it be something to do with the username being all numeric? I'll try changing the hostname to alpha and see what happens...
    CCNA (Expired...), MCSE, CWNA, BSc Computer Science
    Working on renewing CCNA!
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    r_durant wrote:
    georgemc wrote:
    On the client side (PAP requires a client and a server) try adding:

    PPP PAP SENT-USERNAME <your_hostname> PASSWORD <password>

    On the server side use:

    USERNAME <remote_hostname> PASSWORD <matching_password>

    Let me know how this works out.


    George

    Hey George, it still didn't work...

    On the client side...
    !
    interface Serial0/0
     ip address 192.168.99.2 255.255.255.252
     no ip directed-broadcast
     encapsulation ppp
     ppp authentication pap
     ppp pap sent-username 2621 password 7 15100E000D2F3D21
    !
    

    Also, I noticed that the client side password is encrypted and the server side isn't, i tried using "..password 0.." for unencrypted, but it still shows as 7-encrypted...

    Server side...
    username 2621 password 0 believe
    !
    interface Serial0/0
     ip address 192.168.99.1 255.255.255.252
     no ip directed-broadcast
     encapsulation ppp
     clockrate 64000
     ppp authentication pap
    

    From the 'debug ppp auth', i just get this...just this one line and nothing else...it just seems as though there's no pap authentication traversing the line at all...
    01:54:05: Se0/0 PPP: Treating connection as a dedicated line
    

    Long shot, but could it be something to do with the username being all numeric? I'll try changing the hostname to alpha and see what happens...

    You're configuring each router to authenticate the other o you'll need to set the "ppp pap sent-username" command on both sides
    The only easy day was yesterday!
  • georgemcgeorgemc Member Posts: 429
    dtlokee wrote:
    You're configuring each router to authenticate the other o you'll need to set the "ppp pap sent-username" command on both sides

    DOH!

    Yeah, what he said. I was thinking one-way authentication (with the PPP AUTHENTICATION PAP removed on the client side). You'd prefer to use two-way authentication as DT described above.

    George
    WGU BS: Business - Information Technology Management
    Start Date: 01 October 2012
    QFT1,PFIT in progress.
    TRANSFERRED/COMPLETED: AGC1,BBC1,LAE1,QBT1,LUT1,QLC1,QMC1,QLT1,IWC1,INC1,INT1,BVC1,CLC1,MGC1, CWV1 BNC1, LIT1,LWC1,QAT1,WFV1,EST1,EGC1,EGT1,IWT1,MKC1,MKT1,RWT1,FNT1,FNC1, BDC1,TPV1 REQUIRED:
  • r_durantr_durant Member Posts: 486 ■■■□□□□□□□
    Wow...that worked Derek!!

    icon_eek.gif But this has totally thrown me off...it's not mentioned in any of the texts!! icon_mad.gif
    Both texts just have the username/password that is set in global config mode...and skimming thru the texts quickly, i don't even see anything mentioned about "ppp pap sent-username.."

    I've got to wonder about these texts sometimes...

    So just for those interested, this was the final config on the serial interfaces...
    hostname RouterB
    !
    username RouterA password work
    !
    interface Serial0/0
     ip address 192.168.99.1 255.255.255.252
     no ip directed-broadcast
     encapsulation ppp
     clockrate 64000
     ppp authentication pap
     ppp pap sent-username RouterB password work  #this password will be displayed encrypted
    
    hostname RouterA
    !
    username RouterB password work
    !
    interface Serial0/0
     ip address 192.168.99.2 255.255.255.252
     no ip directed-broadcast
     encapsulation ppp
     ppp authentication pap
     ppp pap sent-username RouterA password work  #this password will be displayed encrypted
    
    CCNA (Expired...), MCSE, CWNA, BSc Computer Science
    Working on renewing CCNA!
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Well the explaination is like this: the "ppp authentication pap" on an interface tells the router you want it to authenticate any connection attempts. If you pt this on one router only (in the case of a dial in server for an ISP let's say) that router will request auhentcation from the other router. If you put it on both sides as you did, you're telling both sides to authenticate the other side, this will require the "ppp pap sent-username" on both sides. This is always the case for CHAP, which is mutual authentication and requires both sides authenticate the other side as part of the process.
    The only easy day was yesterday!
  • r_durantr_durant Member Posts: 486 ■■■□□□□□□□
    Well, that's understood now...but my thing is, the texts don't mention this!! So i was following what the texts have, and that just to set the remote router's username (hostname) and password in global config and the only other configs were on the serial interface...

    The CHAP config worked fine, as stated in the texts, but the PAP was way off...

    Has anyone else experience this? or just me? icon_redface.gif
    CCNA (Expired...), MCSE, CWNA, BSc Computer Science
    Working on renewing CCNA!
  • CessationCessation Member Posts: 326
    This is great information!
    A+, MCP(270,290), CCNA 2008.
    Working back on my CCNA and then possibly CCNP.
  • jezg76jezg76 Member Posts: 97 ■■□□□□□□□□
    Quick question on that command. I've been using dynamips with 2 7200 IOS's configured on each "router". When I do the "ppp authentication pap" on both routers, the link comes up with no "ppp pap sent-username" needed for the link to come up. Is that due to the specific IOS?

    Thanks in advance. :)

    NM....I may have been born with a bit of retardation....

    I broke it then fixed it the way you smart guys said. I had to shutdown the interface and bring it back up after I removed the previous PAP settings. I still am not 100% sure which commands need you to "shutdown-no shutdown" after making changes....
    policy-map type inspect TACO
    class type inspect BELL
    drop log
  • r_durantr_durant Member Posts: 486 ■■■□□□□□□□
    jezg76 wrote:
    Quick question on that command. I've been using dynamips with 2 7200 IOS's configured on each "router". When I do the "ppp authentication pap" on both routers, the link comes up with no "ppp pap sent-username" needed for the link to come up.

    This is how I originally thought it would work, but it didn't work with the two 2600 series I had...one is 2610 and the other is a 2620...I think they have on IOS 12.0(7)...not sure, would have to verify tomorrow when i get back to work...

    Maybe you're right...someone could confirm your question...

    In the second part of your post, are you asking what are the commands to shutdown and then enable an interface? If so, then "shutdown" and "no shutdown" should do the trick...
    CCNA (Expired...), MCSE, CWNA, BSc Computer Science
    Working on renewing CCNA!
Sign In or Register to comment.