Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
After you configure your serial interface to support PPP encapsulation, you can configure
authentication using PPP between routers. First, you need to set the hostname of the router,
if it’s not already set. Then you set the username and password for the remote router that will
be connecting to your router:
Here’s an example:
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname RouterA
RouterA(config)#username RouterB password cisco
When using the hostname command, remember that the username is the hostname of the
remote router that’s connecting to your router. And it’s case sensitive, too. Also, the password on
both routers must be the same. It’s a plain-text password that you can see with a show run command;
you can encrypt the password by using the command service password-encryption.
You must have a username and password configured for each remote system you plan to connect
to. The remote routers must also be configured with usernames and passwords.
Now, after you’ve set the hostname, usernames, and passwords, choose the authentication
type, either CHAP or PAP (discussed in detail in the CCNA Study Guide):
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int s0
RouterA(config-if)#ppp authentication chap pap
RouterA(config-if)#^Z
RouterA#
372 Chapter 8 Implement and verify WAN links
If both methods are configured on the same line, as shown here, then only the first method will
be used during link negotiation—the second acts as a backup just in case the first method fails.
Verifying PPP Encapsulation
Okay—now that PPP encapsulation is enabled, let me show you how to verify that it’s up and
running. First, let’s take a look at a figure of a sample network. Figure 8.8 shows two routers
connected with either a point-to-point serial or ISDN connection.
FIGURE 8 . 8 PPP authentication example
You can start verifying the configuration with the show interface command:
Pod1R1#sh int s0/0
Serial0/0 is up, line protocol is up
Hardware is PowerQUICC Serial
Internet address is 10.0.1.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 239/255, txload 1/255, rxload 1/255
Encapsulation PPP
loopback not set
Keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
[output cut]
Notice that the sixth line lists encapsulation as PPP and the eighth line shows that the LCP
is open. This means that it has negotiated the session establishment and all is good! The ninth
line tells us that NCP is listening for the protocols IP and CDP.
But what will you see if everything isn’t perfect? I’m going to type in the configuration
shown in Figure 8.9 and find out.
hostname Pod1R1
username Pod1R2 password cisco
interface serial 0
ip address 10.0.1.1 255.255.255.0
encapsulation ppp
ppp authentication chap
hostname Pod1R2
username Pod1R1 password cisco
interface serial 0
ip address 10.0.1.2 255.255.255.0
encapsulation ppp
ppp authentication chap
PSTN/ISDN
Pod1R1 Pod1R2
8.5 Configure and verify a PPP connection between Cisco routers 373
FIGURE 8 . 9 Failed PPP authentication
Okay—what’s wrong here? Take a look at the usernames and passwords. Do you see the problem
now? That’s right, the C is capitalized on the Pod1R2 username command found in the
configuration of router Pod1R1. This is wrong because the usernames and passwords are case sensitive,
remember? Let’s take a look at the show interface command and see what happens:
Pod1R1#sh int s0/0
Serial0/0 is up, line protocol is down
Hardware is PowerQUICC Serial
Internet address is 10.0.1.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 243/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Keepalive set (10 sec)
LCP Closed
Closed: IPCP, CDPCP
First, notice in the first line of output that Serial0/0 is up, line protocol is down.
This is because there are no keepalives coming from the remote router. Next, notice that the
LCP is closed because the authentication failed.
Debugging PPP Authentication
To display the CHAP authentication process as it occurs between two routers in the network,
just use the command debug ppp authentication.
If your PPP encapsulation and authentication are set up correctly on both routers, and your
usernames and passwords are all good, then the debug ppp authentication command will
display output that looks like this:
d16h: Se0/0 PPP: Using default call direction
1d16h: Se0/0 PPP: Treating connection as a dedicated line
1d16h: Se0/0 CHAP: O CHALLENGE id 219 len 27 from "Pod1R1"
1d16h: Se0/0 CHAP: I CHALLENGE id 208 len 27 from "Pod1R2"
hostname Pod1R1
username Pod1R2 password Cisco
interface serial 0
ip address 10.0.1.1 255.255.255.0
encapsulation ppp
ppp authentication chap
hostname Pod1R2
username Pod1R1 password cisco
interface serial 0
ip address 10.0.1.2 255.255.255.0
encapsulation ppp
ppp authentication chap
PSTN/ISDN
Pod1R1 Pod1R2
374 Chapter 8 Implement and verify WAN links
1d16h: Se0/0 CHAP: O RESPONSE id 208 len 27 from "Pod1R1"
1d16h: Se0/0 CHAP: I RESPONSE id 219 len 27 from "Pod1R2"
1d16h: Se0/0 CHAP: O SUCCESS id 219 len 4
1d16h: Se0/0 CHAP: I SUCCESS id 208 len 4
But if you have the username wrong, as we did previously in the PPP authentication failure
example back in Figure 14.11, the output would look something like this:
1d16h: Se0/0 PPP: Using default call direction
1d16h: Se0/0 PPP: Treating connection as a dedicated line
1d16h: %SYS-5-CONFIG_I: Configured from console by console
1d16h: Se0/0 CHAP: O CHALLENGE id 220 len 27 from "Pod1R1"
1d16h: Se0/0 CHAP: I CHALLENGE id 209 len 27 from "Pod1R2"
1d16h: Se0/0 CHAP: O RESPONSE id 209 len 27 from "Pod1R1"
1d16h: Se0/0 CHAP: I RESPONSE id 220 len 27 from "Pod1R2"
1d16h: Se0/0 CHAP: O FAILURE id 220 len 25 msg is "MD/DES compare failed"
PPP with CHAP authentication is a three-way authentication, and if the username and
passwords are not configured exactly the way they should be, then the authentication will fail
and the link will be down.
Exam Objectives
Remember the PPP Data Link layer protocols. The three Data Link layer protocols are:
Network Control Protocol (NCP), which defines the Network layer protocols; Link Control
Protocol (LCP), a method of establishing, configuring, maintaining, and terminating the
point-to-point connection; and High-Level Data Link Control (HDLC), the MAC layer protocol
that encapsulates the packets.
No comments:
Post a Comment