PPP Authentication CHAP
control
Member Posts: 309
in CCNA & CCENT
I setup a link between 2 routers using PPP (CHAP Authentication).
All worked great and authenticated with each other, could ping each side. I decided to then remove the username from one of the routers expecting the link to drop - but it hasn't. Just stays up, even though in reality I have removed one of the usernames used to authenticate. This seems to say that one the line is authenticated once, it doesn't keep checking the credentials are still valid every so often, unless of course I reboot one of the routers.
Is this normal behaviour? At the moment I have my P2P link working when I have actually removed some of the authentication parameters.
All worked great and authenticated with each other, could ping each side. I decided to then remove the username from one of the routers expecting the link to drop - but it hasn't. Just stays up, even though in reality I have removed one of the usernames used to authenticate. This seems to say that one the line is authenticated once, it doesn't keep checking the credentials are still valid every so often, unless of course I reboot one of the routers.
Is this normal behaviour? At the moment I have my P2P link working when I have actually removed some of the authentication parameters.
Comments
-
JeanM Member Posts: 1,117I setup a link between 2 routers using PPP (CHAP Authentication).
All worked great and authenticated with each other, could ping each side. I decided to then remove the username from one of the routers expecting the link to drop - but it hasn't. Just stays up, even though in reality I have removed one of the usernames used to authenticate. This seems to say that one the line is authenticated once, it doesn't keep checking the credentials are still valid every so often, unless of course I reboot one of the routers.
Is this normal behaviour? At the moment I have my P2P link working when I have actually removed some of the authentication parameters.
I just did this in PT while running continuous ping, once the password is changed via #username router1 password Password and then SHUT the interface up and re-enabled it the link wouldn't re-connected. Now after I changed the password back to match the other router interface the link then came back up.2015 goals - ccna voice / vmware vcp. -
Musixa Member Posts: 10 ■□□□□□□□□□I setup a link between 2 routers using PPP (CHAP Authentication).
All worked great and authenticated with each other, could ping each side. I decided to then remove the username from one of the routers expecting the link to drop - but it hasn't. Just stays up, even though in reality I have removed one of the usernames used to authenticate. This seems to say that one the line is authenticated once, it doesn't keep checking the credentials are still valid every so often, unless of course I reboot one of the routers.
Is this normal behaviour? At the moment I have my P2P link working when I have actually removed some of the authentication parameters.
Hi control. I also questioned this to myself about why they still authenticate even if one router's remote username has been removed.
My answer to this question goes like this:
When establishing a PPP session, the authentication protocol takes place before the network layer protocol phase is entered. So whenever a PPP link is created between two routers, they authenticate first to negotiate, and then they acknowledge each other's authentication then the link goes up. The point is, routers need only to authenticate once to bring the link up. It's like showing a security guard your ID when you enter a building of your company, or maybe a school. Then when you go in, you can remove your ID and walk around inside. (Disregard the policy of "Wear your ID all the time.") XD
I'm not 100% sure about my answer, but to my understanding about the authentication, this is the best answer I could give. If you're still wondering and having doubts, just ask and I'll try to answer. I hope this helps. -
oli356 Member Posts: 364I haven't tried this but Musixa's explanation is what I thought of as well, it makes sense. If that's why though is a different question all togetherLab:
Combination of GNS3 and Cisco equipment if required. -
control Member Posts: 309Hi control. I also questioned this to myself about why they still authenticate even if one router's remote username has been removed.
My answer to this question goes like this:
When establishing a PPP session, the authentication protocol takes place before the network layer protocol phase is entered. So whenever a PPP link is created between two routers, they authenticate first to negotiate, and then they acknowledge each other's authentication then the link goes up. The point is, routers need only to authenticate once to bring the link up. It's like showing a security guard your ID when you enter a building of your company, or maybe a school. Then when you go in, you can remove your ID and walk around inside. (Disregard the policy of "Wear your ID all the time.") XD
I'm not 100% sure about my answer, but to my understanding about the authentication, this is the best answer I could give. If you're still wondering and having doubts, just ask and I'll try to answer. I hope this helps.
Nice explanation, and would explain the behaviour I experienced. Once I'm home tonight I'll lab it up again and try changing the password this time instead of the username, see if this makes any difference.
BTW - Is CHAP / PAP actually used out in the field between P2P links, anyone deal with this stuff in real life? -
Musixa Member Posts: 10 ■□□□□□□□□□I haven't tried this but Musixa's explanation is what I thought of as well, it makes sense. If that's why though is a different question all together
Cheers!Nice explanation, and would explain the behaviour I experienced. Once I'm home tonight I'll lab it up again and try changing the password this time instead of the username, see if this makes any difference.
BTW - Is CHAP / PAP actually used out in the field between P2P links, anyone deal with this stuff in real life?
Nice explanation, and would explain the behaviour I experienced. Once I'm home tonight I'll lab it up again and try changing the password this time instead of the username, see if this makes any difference.
Thanks! Well, I supposed it would end up the same as your question earlier since it's under authentication. But still try it and tell us what the result is.
BTW - Is CHAP / PAP actually used out in the field between P2P links, anyone deal with this stuff in real life?
This I do not know. Haha. I'm still a fresh graduate that is hunting for jobs. I'm looking forward to encounter this kind of stuffs at work. Goodluck on our career!