PPPoE with CHAP ・encrypted authentication with challenge / response

【pppoe_client】 interface FastEthernet0/0 no ip address speed auto duplex auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface Dialer1 ip address negotiated encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname test@cisco.com ppp chap password 0 CCIE ! ip route 0.0.0.0 0.0.0.0 Dialer1 permanent 【pppoe_server】 aaa new-model aaa session-id common multilink bundle-name authenticated vpdn enable username test@cisco.com password 0 CCIE bba-group pppoe global virtual-template 1 bba-group pppoe test virtual-template 1 interface Loopback0 ip address 8.8.8.8 255.255.255.0 interface FastEthernet0/1 no ip address speed auto duplex auto pppoe enable group test interface Virtual-Template1 ip address 200.200.200.50 255.255.255.0 peer default ip address pool test1 ppp authentication chap ip local pool test1 200.200.200.200

Verify and Packet capture

pppoe_client(config)#int f0/0 pppoe_client(config-if)#shut pppoe_client#debug ppp authentication PPP authentication debugging is on pppoe_client(config-if)#no shut

pppoe_client# *Jun 6 11:21:13.651: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Jun 6 11:21:14.139: %SYS-5-CONFIG_I: Configured from console by console *Jun 6 11:21:14.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up *Jun 6 11:21:45.155: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Jun 6 11:21:45.175: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Jun 6 11:21:45.251: Vi2 PPP: Using dialer call direction *Jun 6 11:21:45.259: Vi2 PPP: Treating connection as a callout *Jun 6 11:21:45.263: Vi2 PPP: Session handle[BC00000C] Session id[9] *Jun 6 11:21:45.551: Vi2 PPP: No authorization without authentication *Jun 6 11:21:45.555: Vi2 CHAP: I CHALLENGE id 1 len 33 from "pppoe_server" *Jun 6 11:21:45.563: Vi2 PPP: Sent CHAP SENDAUTH Request *Jun 6 11:21:45.579: Vi2 PPP: Received SENDAUTH Response FAIL *Jun 6 11:21:45.583: Vi2 CHAP: Using hostname from interface CHAP *Jun 6 11:21:45.583: Vi2 CHAP: Using password from interface CHAP *Jun 6 11:21:45.587: Vi2 CHAP: O RESPONSE id 1 len 35 from "test@cisco.com" *Jun 6 11:21:46.467: Vi2 CHAP: I SUCCESS id 1 len *Jun 6 11:21:46.539: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up

The PPPoE server sends a challenge code, which is a random character string, to the client.

The PPPoE client sends a password encrypted with the challenge code to the server

together with the user name.

CHAP encrypts and exchanges passwords.

pppoe_client#show ppp all Interface/ID OPEN+ Nego* Fail- Stage Peer Address Peer Name ------------ --------------------- -------- --------------- -------------------- Vi2 LCP+ IPCP+ CDPCP- LocalT 200.200.200.50 pppoe_server

pppoe_client#show pppoe session

1 client session

Uniq ID PPPoE RemMAC Port VT VA State

SID LocMAC VA-st Type

N/A 9 ca01.1b4c.0006 Fa0/0 Di1 Vi2 UP

ca00.1dc0.0008 UP

pppoe_client#show ip int bri Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES NVRAM up up (omit) Dialer1 200.200.200.200 YES IPCP up up Virtual-Access1 unassigned YES unset up up Virtual-Access2 unassigned YES unset up up pppoe_client#show ip route (omit) Gateway of last resort is 0.0.0.0 to network 0.0.0.0 S* 0.0.0.0/0 is directly connected, Dialer1 200.200.200.0/32 is subnetted, 2 subnets C 200.200.200.50 is directly connected, Dialer1 C 200.200.200.200 is directly connected, Dialer1

pppoe_client#ping 200.200.200.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.200.200.50, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 72/104/160 ms pppoe_client#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/111/120 ms

#WAN #CHAP #PPPoE