PPP Authentication CHAP

control

I setup a link between 2 routers using PPP (CHAP Authentication).

All worked great and authenticated with each other, could ping each side. I decided to then remove the username from one of the routers expecting the link to drop - but it hasn't. Just stays up, even though in reality I have removed one of the usernames used to authenticate. This seems to say that one the line is authenticated once, it doesn't keep checking the credentials are still valid every so often, unless of course I reboot one of the routers.

Is this normal behaviour? At the moment I have my P2P link working when I have actually removed some of the authentication parameters.

JeanM

control wrote: »

I setup a link between 2 routers using PPP (CHAP Authentication).

All worked great and authenticated with each other, could ping each side. I decided to then remove the username from one of the routers expecting the link to drop - but it hasn't. Just stays up, even though in reality I have removed one of the usernames used to authenticate. This seems to say that one the line is authenticated once, it doesn't keep checking the credentials are still valid every so often, unless of course I reboot one of the routers.

Is this normal behaviour? At the moment I have my P2P link working when I have actually removed some of the authentication parameters.

I just did this in PT while running continuous ping, once the password is changed via #username router1 password Password and then SHUT the interface up and re-enabled it the link wouldn't re-connected. Now after I changed the password back to match the other router interface the link then came back up.

Musixa

control wrote: »

I setup a link between 2 routers using PPP (CHAP Authentication).

All worked great and authenticated with each other, could ping each side. I decided to then remove the username from one of the routers expecting the link to drop - but it hasn't. Just stays up, even though in reality I have removed one of the usernames used to authenticate. This seems to say that one the line is authenticated once, it doesn't keep checking the credentials are still valid every so often, unless of course I reboot one of the routers.

Is this normal behaviour? At the moment I have my P2P link working when I have actually removed some of the authentication parameters.

Hi control. I also questioned this to myself about why they still authenticate even if one router's remote username has been removed.

My answer to this question goes like this:
When establishing a PPP session, the authentication protocol takes place before the network layer protocol phase is entered. So whenever a PPP link is created between two routers, they authenticate first to negotiate, and then they acknowledge each other's authentication then the link goes up. The point is, routers need only to authenticate once to bring the link up. It's like showing a security guard your ID when you enter a building of your company, or maybe a school. Then when you go in, you can remove your ID and walk around inside. (Disregard the policy of "Wear your ID all the time.") XD

I'm not 100% sure about my answer, but to my understanding about the authentication, this is the best answer I could give. If you're still wondering and having doubts, just ask and I'll try to answer. I hope this helps.

oli356

I haven't tried this but Musixa's explanation is what I thought of as well, it makes sense. If that's why though is a different question all together

control

Musixa wrote: »

Hi control. I also questioned this to myself about why they still authenticate even if one router's remote username has been removed.

My answer to this question goes like this:
When establishing a PPP session, the authentication protocol takes place before the network layer protocol phase is entered. So whenever a PPP link is created between two routers, they authenticate first to negotiate, and then they acknowledge each other's authentication then the link goes up. The point is, routers need only to authenticate once to bring the link up. It's like showing a security guard your ID when you enter a building of your company, or maybe a school. Then when you go in, you can remove your ID and walk around inside. (Disregard the policy of "Wear your ID all the time.") XD

I'm not 100% sure about my answer, but to my understanding about the authentication, this is the best answer I could give. If you're still wondering and having doubts, just ask and I'll try to answer. I hope this helps.

Nice explanation, and would explain the behaviour I experienced. Once I'm home tonight I'll lab it up again and try changing the password this time instead of the username, see if this makes any difference.

BTW - Is CHAP / PAP actually used out in the field between P2P links, anyone deal with this stuff in real life?

Musixa

oli356 wrote: »

I haven't tried this but Musixa's explanation is what I thought of as well, it makes sense. If that's why though is a different question all together

Cheers!

control wrote: »

Nice explanation, and would explain the behaviour I experienced. Once I'm home tonight I'll lab it up again and try changing the password this time instead of the username, see if this makes any difference.

BTW - Is CHAP / PAP actually used out in the field between P2P links, anyone deal with this stuff in real life?

Nice explanation, and would explain the behaviour I experienced. Once I'm home tonight I'll lab it up again and try changing the password this time instead of the username, see if this makes any difference.

Thanks! Well, I supposed it would end up the same as your question earlier since it's under authentication. But still try it and tell us what the result is.

BTW - Is CHAP / PAP actually used out in the field between P2P links, anyone deal with this stuff in real life?

This I do not know. Haha. I'm still a fresh graduate that is hunting for jobs. I'm looking forward to encounter this kind of stuffs at work. Goodluck on our career!