while I agree that EAP is the obvious and most secure choice, doesn't CHAP use MD5 for its hashing mechanism?
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml Then again it seems that CHAP requires a cleartext password that ends up getting rehashed on every challenge. So in that sense, I see your point. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Christophe Lemaire Sent: Saturday, September 24, 2011 10:34 PM To: marc abel Cc: [email protected] Subject: Re: [OSL | CCIE_RS] PPP authentication with radius Hi Marc, CHAP is not using md5 but a challenge/response mechanism. EAP is the only ppp authentication method available using md5... So I gues you didn't get the points here. Regards, Christophe On 25 Sep 2011, at 03:27, marc abel wrote: > I am working on Vol 3 lab 9 task 1.8 and have a general question: > > The task has us configure PPP multilink and then use authentication. > > "R6 should authenticate R9 using md5 authentication before allowing > the connection to come online. In the future you want to use a central > database for PPP authentication. Make sure the protocol you choose > will support this future change." > > Now the solutions guide show this using eap, but couldn't you do chap > as well? It seems like chap will support radius. So what do you think, > do I get the points? > > > Here is my config. > > R6 > ______________________ > > aaa new-model > ! > ! > aaa authentication ppp PPPCHAP group radius local > ! > ! > aaa session-id common > ! > username R9 password 0 cisco > ! > interface Multilink69 > ip address 70.18.69.6 255.255.255.240 > ppp authentication chap PPPCHAP > ppp multilink > ppp multilink links minimum 2 mandatory > ppp multilink group 69 > ! > interface Serial0/2/0 > no ip address > encapsulation ppp > clock rate 2000000 > ppp multilink > ppp multilink group 69 > ! > interface Serial0/2/1 > no ip address > encapsulation ppp > clock rate 2000000 > ppp multilink > ppp multilink group 69 > ! > radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 key test > ! > > > > R9 > _______________________ > > interface Multilink69 > ip address 70.18.69.9 255.255.255.240 > ppp chap hostname R9 > ppp chap password 0 cisco > ppp multilink > ppp multilink links minimum 2 mandatory > ppp multilink group 69 > ! > interface Serial0/2/0 > no ip address > encapsulation ppp > ppp multilink > ppp multilink group 69 > ! > interface Serial0/2/1 > no ip address > encapsulation ppp > ppp multilink > ppp multilink group 69 > ! > > > > Pod109-R6(config)#do who > Line User Host(s) Idle Location > * 0 con 0 idle 00:00:00 > > Interface User Mode Idle Peer Address > Se0/2/0 R9 Sync PPP 00:00:02 > Se0/2/1 R9 Sync PPP 00:00:03 > Mu69 R9 Sync PPP 00:00:03 70.18.69.9 > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com UHS Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient (s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
