Lab 9.

PPP Authentication
Using CHAP (Method #1)

Lab Objective:
The objective of this lab exercise is to configure two routers sharing
a back-to-back Serial link encapsulated by PPP to authenticate each
other using default CHAP parameters on Cisco IOS. By default, PPP
connections are not authenticated or secured.

Lab Purpose:
PPP CHAP authentication configuration is a fundamental skill. One
of the main reasons that PPP is so popular is because it has the
capability to be secured and devices communicating using PPP can
be authenticated. CHAP authentication is the most preferred method
to secure PPP as it does not send usernames and passwords in
clear text. As a Cisco engineer, as well as in the Cisco CCNA exam,
you will be expected to know how to configure PPP CHAP
authentication.

Lab Topology:
Please use the following topology to complete this lab exercise:

Task 1:
Configure hostnames on R1 and R2 as illustrated in the topology.
Task 2:
Enable Serial interfaces on R1 and R2. The Serial0/0 interface on
R2 is identified as the DCE in the topology. Use the appropriate
command to verify that this interface is indeed the DCE. Configure
the DCE interface on R2 to provide clocking to R1. The clock speed
should be 768 Kbps. Verify that R1 receives clocking information
from R2.

Task 3:
Enable PPP encapsulation on R1 and R2 Serial0/0 interfaces.
Configure IP addressing on R1 and R2 Serial0/0 interfaces as
illustrated in the topology.

Task 4:
Verify your interface encapsulation, which should now be PPP. Test
connectivity between R1 and R2 by pinging between the routers.

Task 5:
Configure the Serial0/0 interfaces of R1 and R2 for PPP
authentication via CHAP. Both R1 and R2 should authenticate using
their hostnames and the password CHAP.

Task 6:
Enable PPP authentication debugging on R2. Next, perform a
shutdown command, followed by a no shutdown command, on Serial0/0.
Verify that you see the two routers authenticating each other via PPP
CHAP. Disable debugging when you are done.
 Lab 9. Configuration and
Verification

Task 1:
For reference information on configuring hostnames, please refer to
earlier labs.

Task 2:
For reference information on configuring clock rates, please refer to
earlier labs.

Task 3:
For reference information on configuring PPP and IP addressing,
please refer to earlier labs.

Task 4:
For reference information on verifying Serial encapsulation, please
refer to earlier labs.

R1#ping 192.168.50.34

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.50.34, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

Task 5:
R1#conf t
Enter configuration commands, one per line. End with CTRL/Z.
 R1(config)#username R2 password CHAP
R1(config)#int s0/0
R1(config-if)#ppp authentication chap
R1(config-if)#end
R1#

R2#conf t
Enter configuration commands, one per line. End with CTRL/Z.
R2(config)#username R1 password CHAP
R2(config)#int s0/0
R2(config-if)#ppp authentication chap
R2(config-if)# ^Z
R2#

NOTE: By default, there is no need to configure a hostname to be

used for CHAP authentication on Cisco IOS routers as they will use
the hostname configured on the router. There is also no need to
define a password to be used for authentication since CHAP does
not send the passwords across the link like PAP does. Therefore, a
hash will be created using the configured passwords in the username
command. These passwords must be identical on both routers,
otherwise authentication will fail!

Task 6:
R1#debug ppp authentication
PPP authentication debugging is on
R1#conf t
Enter configuration commands, one per line. End with CTRL/Z.
R1(config)#interface serial0/0
R1(config-if)#shutdown
*Mar 1 03:04:40.496: %LINK-5-CHANGED: Interface Serial0/0, changed state
to administratively down
*Mar 1 03:04:41.497: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0, changed state to down
R1(config-if)#no shutdown
*Mar 1 03:04:48.292: %LINK-3-UPDOWN: Interface Serial0/0, changed state
to up
*Mar 1 03:04:48.292: Se0/0 PPP: Using default call direction
*Mar 1 03:04:48.292: Se0/0 PPP: Treating connection as a dedicated line
*Mar 1 03:04:48.292: Se0/0 PPP: Session handle[A3000003] Session id[5]
*Mar 1 03:04:48.292: Se0/0 PPP: Authorization required
*Mar 1 03:04:48.300: Se0/0 CHAP: O CHALLENGE id 1 len 23 from “R1”
*Mar 1 03:04:48.300: Se0/0 CHAP: I CHALLENGE id 1 len 23 from “R2”
*Mar 1 03:04:48.304: Se0/0 CHAP: Using hostname from unknown source
*Mar 1 03:04:48.304: Se0/0 CHAP: Using password from AAA
*Mar 1 03:04:48.304: Se0/0 CHAP: O RESPONSE id 1 len 23 from “R1”
*Mar 1 03:04:48.308: Se0/0 CHAP: I RESPONSE id 1 len 23 from “R2”
*Mar 1 03:04:48.308: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar 1 03:04:48.312: Se0/0 PPP: Received LOGIN Response PASS
*Mar 1 03:04:48.312: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar 1 03:04:48.316: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 03:04:48.316: Se0/0 CHAP: I SUCCESS id 1 len 4
*Mar 1 03:04:48.316: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar 1 03:04:48.320: Se0/0 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 03:04:48.320: Se0/0 CHAP: O SUCCESS id 1 len 4
*Mar 1 03:04:48.324: Se0/0 PPP: Sent CDPCP AUTHOR Request
*Mar 1 03:04:48.324: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 03:04:48.328: Se0/0 CDPCP: Received AAA AUTHOR Response
PASS
*Mar 1 03:04:49.322: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial0/0, changed state to up
R1(config-if)#end
*Mar 1 03:04:55.308: %SYS-5-CONFIG_I: Configured from console by
console
R1#undebug all
All possible debugging has been turned off