PPP Authentication Problem (Chap)

[sk391]

Hello All,
I have got two 2503 router which are connected through serial int 1. I have then connected with ppp encap and all seems to be well, until I try to add chap authen

This is what i am doing....

config t
username test password test1
end
wr

then...

config t
int serial 1
ppp authen chap

then I go to the other router and carry out the same commands... When I carry a dubug ppp authen.. I get the following

01:47:35: %LINK-3-UPDOWN: Interface Serial1, changed state to down
01:47:52: %LINK-3-UPDOWN: Interface Serial1, changed state to up
01:47:52: Se1 PPP: Using default call direction
01:47:52: Se1 PPP: Treating connection as a dedicated line
01:47:52: Se1 PPP: Session handle[7E000063] Session id[151]
01:47:52: Se1 PPP: Authorization required
01:47:52: Se1 CHAP: O CHALLENGE id 149 len 28 from "RouterB"
01:47:52: Se1 CHAP: I CHALLENGE id 90 len 28 from "RouterA"
01:47:52: Se1 CHAP: Unable to authenticate for peer
01:47:54: Se1 PPP: Using default call direction
01:47:54: Se1 PPP: Treating connection as a dedicated line
01:47:54: Se1 PPP: Session handle[F6000064] Session id[151]
01:47:54: Se1 PPP: Authorization required
01:47:54: Se1 CHAP: O CHALLENGE id 150 len 28 from "RouterB"
01:47:54: Se1 CHAP: I CHALLENGE id 91 len 28 from "RouterA"
01:47:54: Se1 CHAP: Unable to authenticate for peer
01:47:56: Se1 PPP: Using default call direction
01:47:56: Se1 PPP: Treating connection as a dedicated line
01:47:56: Se1 PPP: Session handle[35000065] Session id[152]
01:47:56: Se1 PPP: Authorization required
01:47:56: Se1 CHAP: O CHALLENGE id 151 len 28 from "RouterB"
01:47:56: Se1 CHAP: I CHALLENGE id 92 len 28 from "RouterA"
01:47:56: Se1 CHAP: Unable to authenticate for peer
01:47:58: Se1 PPP: Authorization required
01:47:59: Se1 CHAP: O CHALLENGE id 152 len 28 from "RouterB"
01:47:59: Se1 CHAP: I CHALLENGE id 93 len 28 from "RouterA"
01:47:59: Se1 CHAP: Unable to authenticate for peer
01:48:01: Se1 PPP: Authorization required
01:48:01: Se1 CHAP: O CHALLENGE id 153 len 28 from "RouterB"
01:48:01: Se1 CHAP: I CHALLENGE id 94 len 28 from "RouterA"
01:48:05: Se1 PPP: Authorization required
01:48:05: Se1 CHAP: O CHALLENGE id 154 len 28 from "RouterB"
01:48:05: Se1 CHAP: I CHALLENGE id 95 len 28 from "RouterA"
01:48:05: Se1 CHAP: Unable to authenticate for peer
01:48:07: Se1 PPP: Authorization required
01:48:07: Se1 CHAP: O CHALLENGE id 155 len 28 from "RouterB"
01:48:07: Se1 CHAP: I CHALLENGE id 96 len 28 from "RouterA"
01:48:11: Se1 PPP: Authorization required
01:48:11: Se1 CHAP: O CHALLENGE id 156 len 28 from "RouterB"
01:48:11: Se1 CHAP: I CHALLENGE id 97 len 28 from "RouterA"
01:48:11: Se1 CHAP: Unable to authenticate for peer
01:48:13: Se1 PPP: Authorization required
01:48:13: Se1 CHAP: O CHALLENGE id 157 len 28 from "RouterB"
01:48:13: Se1 CHAP: I CHALLENGE id 98 len 28 from "RouterA"
01:48:17: Se1 PPP: Authorization required
01:48:17: Se1 CHAP: O CHALLENGE id 158 len 28 from "RouterB"
01:48:17: Se1 CHAP: I CHALLENGE id 99 len 28 from "RouterA"
01:48:17: Se1 CHAP: Unable to authenticate for peer
01:48:19: Se1 PPP: Authorization required
01:48:19: Se1 CHAP: O CHALLENGE id 159 len 28 from "RouterB"
01:48:19: Se1 CHAP: I CHALLENGE id 100 len 28 from "RouterA"
01:48:23: Se1 PPP: Authorization required
01:48:23: Se1 CHAP: O CHALLENGE id 160 len 28 from "RouterB"
01:48:23: Se1 CHAP: I CHALLENGE id 101 len 28 from "RouterA"
01:48:23: Se1 CHAP: Unable to authenticate for peer
01:48:25: Se1 PPP: Authorization required
01:48:27: Se1 CHAP: O CHALLENGE id 161 len 28 from "RouterB"
01:48:27: Se1 CHAP: I CHALLENGE id 102 len 28 from "RouterA"
01:48:27: Se1 CHAP: Unable to authenticate for peer
01:48:29: Se1 PPP: Authorization required
01:48:31: Se1 CHAP: O CHALLENGE id 162 len 28 from "RouterB"
01:48:31: Se1 CHAP: I CHALLENGE id 103 len 28 from "RouterA"
01:48:31: Se1 CHAP: Unable to authenticate for peer
01:48:33: Se1 PPP: Using default call direction
01:48:33: Se1 PPP: Treating connection as a dedicated line
01:48:33: Se1 PPP: Session handle[6A000071] Session id[164]
01:48:33: Se1 PPP: Authorization required
01:48:33: Se1 CHAP: O CHALLENGE id 163 len 28 from "RouterB"
01:48:33: Se1 CHAP: I CHALLENGE id 104 len 28 from "RouterA"
01:48:33: Se1 CHAP: Unable to authenticate for peer
01:48:35: Se1 PPP: Authorization required
01:48:35: Se1 CHAP: O CHALLENGE id 164 len 28 from "RouterB"
01:48:35: Se1 CHAP: I CHALLENGE id 105 len 28 from "RouterA"
01:48:35: Se1 CHAP: Unable to authenticate for peer
01:48:37: Se1 PPP: Authorization required
01:48:37: Se1 CHAP: O CHALLENGE id 165 len 28 from "RouterB"
01:48:37: Se1 CHAP: I CHALLENGE id 106 len 28 from "RouterA"
01:48:39: Se1 PPP: Authorization required
01:48:39: Se1 CHAP: O CHALLENGE id 166 len 28 from "RouterB"
01:48:39: Se1 CHAP: I CHALLENGE id 107 len 28 from "RouterA"
01:48:39: Se1 CHAP: Unable to authenticate for peer
01:48:41: Se1 PPP: Authorization required
01:48:41: Se1 CHAP: O CHALLENGE id 167 len 28 from "RouterB"
01:48:41: Se1 CHAP: I CHALLENGE id 108 len 28 from "RouterA"
01:48:41: Se1 CHAP: Unable to authenticate for peer
01:48:43: Se1 PPP: Authorization required
01:48:45: Se1 CHAP: O CHALLENGE id 168 len 28 from "RouterB"
01:48:45: Se1 CHAP: I CHALLENGE id 109 len 28 from "RouterA"
01:48:45: Se1 CHAP: Unable to authenticate for peer
01:48:47: Se1 PPP: Authorization required
01:48:50: Se1 CHAP: O CHALLENGE id 169 len 28 from "RouterB"
01:48:50: Se1 CHAP: I CHALLENGE id 110 len 28 from "RouterA"
01:48:50: Se1 CHAP: Unable to authenticate for peer
01:48:52: Se1 PPP: Authorization required
01:48:54: Se1 CHAP: O CHALLENGE id 170 len 28 from "RouterB"
01:48:54: Se1 CHAP: I CHALLENGE id 111 len 28 from "RouterA"
01:48:54: Se1 CHAP: Unable to authenticate for peer
01:48:56: Se1 PPP: Using default call direction
01:48:56: Se1 PPP: Treating connection as a dedicated line
01:48:56: Se1 PPP: Session handle[A4000079] Session id[172]
01:48:56: Se1 PPP: Authorization required
01:48:56: Se1 CHAP: O CHALLENGE id 171 len 28 from "RouterB"
01:48:56: Se1 CHAP: I CHALLENGE id 112 len 28 from "RouterA"
01:48:56: Se1 CHAP: Unable to authenticate for peer

This output only reads out for a minute and then stops, do debug only debug for 1 min??
The oonly way I can get it to print out the debug info again is to do a shut - no shut on the interface.

Any ideas???

 

[jneiberger]

It doesn't work the way you think it does. Read this link for more details:

http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml

Basically, on RouterA you need the following:

username RouterB password blah

And on RouterB you need:

username RouterA password blah

When the link begins to come up, the router sees who the neighbor is and sends the appropriate password.

 

[burtsbees]

Yes---for CHAP to work, you need usernames and passwords for the routers to negotiate the link.
Is this a lab?

Burt

 

[sk391]

Hi guy..
Yep its in a lab.. Iv been told to never run debugs on a live network!!

I'll give it a go now!!

 

[sk391]

Hi guys, errrm I'm still having problems...

I still I understand what you are saying and I have done the following on the routers

RouterA:

username RouterB password 0 test


interface Serial1
ip address 172.12.13.1 255.255.255.0
encapsulation ppp
clock rate 56000
ppp authentication chap


Serial1 is up, line protocol is down
Hardware is HD64570
Internet address is 172.12.13.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Closed, loopback not set
Keepalive set (10 sec)
Last input 00:36:24, output 00:36:24, output hang never
Last clearing of "show interface" counters 03:04:22
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1696 packets input, 43372 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
11 input errors, 6 CRC, 0 frame, 0 overrun, 0 ignored, 2 abort
1755 packets output, 41701 bytes, 0 underruns
0 output errors, 0 collisions, 608 interface resets
0 output buffer failures, 0 output buffers swapped out


RouterB:

username RouterA password 0 test

interface Serial1
ip address 172.12.13.3 255.255.255.0
encapsulation ppp
ppp authentication chap


RouterB#show int serial 1
Serial1 is up, line protocol is down
Hardware is HD64570
Internet address is 172.12.13.3/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Closed, loopback not set
Keepalive set (10 sec)
Last input 00:33:17, output 00:33:17, output hang never
Last clearing of "show interface" counters 02:53:24
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1630 packets input, 39921 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1656 packets output, 42153 bytes, 0 underruns
0 output errors, 0 collisions, 575 interface resets
0 output buffer failures, 0 output buffers swapped out

The interface is down and the debug doesnt print anything..?

 

[jneiberger]

Turn on "debug ppp neg", as well, then bounce the interfaces.

 

[sk391]

Thanks - Its up and working now. I got the following from debug. Any idea why I needed to bounce it...?


03:36:48: Se1 PPP: Outbound cdp packet dropped
03:36:48: Se1 PPP: Outbound cdp packet dropped
03:36:48: Se1 PPP: Outbound cdp packet droppedr
03:36:49: %SYS-5-CONFIG_I: Configured from console by console
03:36:50: %LINK-3-UPDOWN: Interface Serial1, changed state to up
03:36:50: Se1 PPP: Using default call direction
03:36:50: Se1 PPP: Treating connection as a dedicated line
03:36:50: Se1 PPP: Session handle[3B000104] Session id[283]
03:36:50: Se1 PPP: Phase is ESTABLISHING, Active Open
03:36:50: Se1 LCP: O CONFREQ [Closed] id 224 len 15
03:36:50: Se1 LCP: AuthProto CHAP (0x0305C22305)
03:36:50: Se1 LCP: MagicNumber 0x315B6FA2 (0x0506315B6FA2)
03:36:50: Se1 LCP: I CONFREQ [REQsent] id 87 len 15
03:36:50: Se1 LCP: AuthProto CHAP (0x0305C22305)
03:36:50: Se1 LCP: MagicNumber 0x11420B7E (0x050611420B7E)
03:36:50: Se1 LCP: O CONFACK [REQsent] id 87 len 15
03:36:50: Se1 LCP: AuthProto CHAP (0x0305C22305)
03:36:50: Se1 LCP: MagicNumber 0x11420B7E (0x050611420B7E)
03:36:50: Se1 LCP: I CONFACK [ACKsent] id 224 len 15
03:36:50: Se1 LCP: AuthProto CHAP (0x0305C22305)
03:36:50: Se1 LCP: MagicNmber 0x315B6FA2 (0x0506315B6FA2)
03:36:50: Se1 LCP: State is Open
03:36:50: Se1 PPP: Phase is AUTHENTICATING, by both
03:36:50: Se1 CHAP: O CHALLENGE id 214 len 28 from "RouterA"
03:36:50: Se1 CHAP: I CHALLENGE id 239 len 28 from "RouterB"
03:36:50: Se1 CHAP: Using hostname from unknown source
03:36:50: Se1 CHAP: Using password from AAA
03:36:50: Se1 CHAP: O RESPONSE id 239 len 28 from "RouterA"
03:36:51: Se1 CHAP: I RESPONSE id 214 len 28 from "RouterB"
03:36:51: Se1 PPP: Phase is FORWARDING, Attempting Forward
03:36:51: Se1 PPP: Phase is AUTHENTICATING, Unauthenticated User
03:36:51: Se1 PPP: Phase is FORWARDING, Attempting Forward
03:36:51: Se1 PPP: Phase is AUTHENTICATING, Authenticated User
03:36:51: Se1 CHAP: O SUCCESS id 214 len 4
03:36:51: Se1 CHAP: I SUCCESS id 239 len 4
03:36:51: Se1 PPP: Phase is UP
03:36:51: Se1 IPCP: O CONFREQ [Closed] id 1 len 10
03:36:51: Se1 IPCP: Address 172.12.13.1 (0x0306AC0C0D01)
03:36:51: Se1 PPP: Process pending ncp packets
03:36:51: Se1 IPCP: I CONFREQ [REQsent] id 1 len 10
03:36:51: Se1 IPCP: Address 172.12.13.3 (0x0306AC0C0D03)
03:36:51: Se1 AAA/AUTHOR/IPCP: Start. Her address 172.12.13.3, we want 0.0.0.0
03:36:51: Se1 CDPCP: I CONFREQ [Closed] id 1 len 4
03:36:51: Se1 AAA/AUTHOR/IPCP: Reject 172.12.13.3, using 0.0.0.0
03:36:51: Se1 AAA/AUTHOR/IPCP: Done. Her address 172.12.13.3, we want 0.0.0.0
03:36:51: Se1 IPCP: O CONFACK [REQsent] id 1 len 10
03:36:51: Se1 IPCP: Address 172.12.13.3 (0x0306AC0C0D03)
03:36:51: Se1 IPCP: I CONFACK [ACKsent] id 1 len 10
03:36:51: Se1 IPCP: Address 172.12.13.1 (0x0306AC0C0D01)
03:36:51: Se1 IPCP: State is Open
03:36:51: Se1 CDPCP: O CONFREQ [Closed] id 1 len 4
03:36:51: Se1 IPCP: Install route to 172.12.13.3
03:36:51: Se1 IPCP: Add link info for cef entry 172.12.13.3
03:36:51: Se1 CDPCP: I CONFACK [REQsent] id 1 len 4
03:36:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up
03:36:53: Se1 CDPCP: I CONFREQ [ACKrcvd] id 2 len 4
03:36:53: Se1 CDPCP: O CONFACK [ACKrcvd] id 2 len 4
03:36:53: Se1 CDPCP: State is Open
% No connections open

 

[jneiberger]

Probably because some authentication parameters changed while the link was up and you needed to restart the PPP link negotiation process.

I'm glad you got it working!

 

[sk391]

Thanks for your time.