Posts from ‘CCNA General’
The following question was recently sent to me regarding PPP and CHAP:
At the moment I only have packet tracer to practice on, and have been trying to setup CHAP over PPP.
It seems that the “PPP CHAP username xxxx” and “PPP CHAP password xxxx” commands are missing in packet tracer.
I have it set similar to this video… (you can skip the first 1 min 50 secs)
As he doesn’t use the missing commands, if that were to be done on live kit would it just use the hostname and magic number to create the hash?
Also, in bi-directional authentication, do both routers have to use the same password or can they be different as long as they match what they expect from the other router?
Here was my reply:
When using PPP CHAP keep in mind four fundamental things:
- The “magic number” that you see in PPP LCP messages has nothing to do with Authentication or CHAP. It is simply PPPs way of trying to verify that it has a bi-directional link with a peer. When sending a PPP LCP message a random Magic Number is generated. The idea is that you should NOT see your own Magic Number in LCP messages received from your PPP Peer. If you DO see the same magic number that you transmited, that means you are talking to yourself (your outgoing LCP CONFREQ message has been looped back to you). This might happen if the Telco that is providing your circuit is doing some testing or something and has temporarily looped-back your circuit.
- At least one of the devices will be initiating the CHAP challenge. In IOS this is enabled with the interface command, “ppp authentication chap”. Technically it only has to be configured on one device (usually the ISP router that wishes to “challenge” the incoming caller) but with CHAP you can configure it on both sides if you wish to have bi-directional CHAP challenges.
- Both routers need a CHAP password, and you have a couple of options on how to do this.
- The “hash” that is generated in an outgoing PPP CHAP Response is created as a combination of three variables, and without knowing all three values the Hash Response cannot be generated:
- A router’s Hostname
- The configured PPP CHAP password
- The PPP CHAP Challenge value
I do all of my lab testing on real hardware so I can’t speak to any “gotchas” that might be present in simulators like Packet Tracer. But what I can tell you, is that on real routers the side that is receiving the CHAP challenge must be configured with an interface-level CHAP password.
The relevant configurations are below as an example.
ISP router that is initiating the CHAP Challenge for incoming callers:
username Customer password cisco ! interface Serial1/3 encapsulation ppp ppp authentication chap ip address x.x.x.x y.y.y.y !
Customer router placing the outgoing PPP call to ISP:
hostname Customer ! interface Serial1/3 encapsulation ppp ppp chap password cisco ip address x.x.x.x y.y.y.y !
If you have a situation where you expect that the Customer Router might be using this same interface to “call” multiple remote destinations, and use a different CHAP password for each remote location, then you could add the following:
Customer router placing the outgoing PPP call to ISP-1 (CHAP password = Bob) and ISP-2 (CHAP password = Sally):
hostname Customer ! username ISP-1 password Bob
username ISP-2 password Sally
interface Serial1/3 encapsulation ppp ppp chap password cisco ip address x.x.x.x y.y.y.y !
Notice in the example above, the “username x password y” commands supercede the interface-level command, “ppp chap password x”. But please note that the customer (calling) router always needs the “ppp chap password” command configured at the interface level. A global “username x password y” in the customer router does not replace this command. In this situation, if the Customer router placed a call to ISP-3 (for which there IS no “username/password” statement) it would fallback to using the password configured at the interface-level.
Lastly, the “username x password y” command needs to be viewed differently depending on whether or not it is configured on the router that is RESPONDING to a Challenge…or is on the router that is GENERATING the Challenge:
- When the command “username X password Y” is configured on the router that is responding to the CHAP Challenge (Customer router), the router’s local “hostname” and password in this command (along with the received Challenge) will be used in the Hash algorithm to generate the CHAP RESPONSE.
- When the command “username X password Y” is configured on the router that is generating the CHAP Challenge (ISP Router), once the ISP router receives the CHAP Authentication Response (which includes the hostname of the Customer/calling router) it will match that received Hostname to a corresponding “username X password Y” statement. If one is found that matches, then the ISP router will perform its own CHAP hash of the username, password, and Challenge that it previously created to see if its own, locally-generated result matches the result that was received in the CHAP Response.
Lastly, you asked, “ Also, in bi-directional authentication, do both routers have to use the same password or can they be different as long as they match what they expect from the other router?”
Hopefully from my explanations above it is now clear that in the case of bi-directional authentication, the passwords do indeed have to be the same on both sides.
Hope that helps!
A while back, in May, we asked you all what you thought of adding closed captioning to all of our videos, and your response – both in comments and private emails – was overwhelmingly positive. This functionality would not only provide better assistance for those with difficulty hearing, but also give everyone the incredible ability to search anywhere within any video for a particular topic or keyword that had been spoken about in the audio track, and immediately jump to that timecode spot in the video. This would every single minute of every video we have the ablility to be searched and subsequently accessed within just a few moments vs. having to watch the entire video over and over each time you wished to return to a particular spot in it for some remedial learning.
Well, you needn’t wait much longer.
We’re pleased to announce that our recently announced, highly acclaimed CCIE Voice Advanced Technologies Class is available for both streaming and download from our global CDN. The Voice ATC consists of 60 videos totaling just shy of 60 hours of hands down the best CCIE Voice training on the market today. You can download it now for just $299 or as an All Access Pass subscriber you can download it for only $149. For All Access Pass subscriber the online streaming version is included free of charge.
Each of the 60 videos can be individually downloaded without the need to download the whole class. This will enable you to selectively load them onto any computer or mobile device and watch them at your leisure. Although we do not place any DRM on the files themselves we do limit each purchase to two downloads per video.
Watch in the upcoming month for completely redone courses covering the CCNA, CCNA Voice and CCNA Security courses as well as CCNP Voice and CCNP Security courses. All Access Pass subscribers will be able to stream them for free and download them for only $149. These all stream from CDN locations around the world, so latency in download and streaming alike is not an issue, no matter where in the world you access it from.
Thanks to Randy of our CCNA program for this suggestion. Randy wanted some guidance on how to solve the subnetting questions in ICND1 and ICND2 very quickly. The ability to do this is often the difference between a passing score and a failed attempt.
WARNING: You must master subnetting using our course or some other trusted materials before you start using these shortcut approaches. It is a common issue for Cisco candidates to move directly to subnetting shortcuts for the exams without fully understanding exactly how subnetting functions.
For this series of posts, we will use simulated exam questions from ICND1 and ICND2. Well, with all that out of the way – let’s have some fun. You will find that once you “turn the corner” on subnetting, you will pray for many of these questions in the exam. It is an opportunity to solve questions quickly and be 100% convinced that your response is “spot on”.
Question 1: What is the last usable address in the subnet of a host with the address 192.168.1.134 and the subnet mask of 255.255.255.240?
One of our CCNA students requested some command practice for ICND2 – here is one I put together for him. Please give me feedback in the comments if you find practice tools like this helpful.
As you may have noticed, INE does a wide variety of training in the Cisco space. This blog post goes out to all those folks who have recently begun their Cisco training.
This month we delivered new live classes on CCNA and CCNP. We are excited for and encourage our students at every level in their journey. In that light, we have gathered a collection of Videos Answers, targeted at the CCNA level, with a few topics leaking into security and CCNP. These videos were primarily created as quick (under 10 minutes each) Video Answers to questions that various learners have had.
Take a look at the list of topics, and if there are 1 or 2 you feel you would benefit from, feel free to enjoy them.
Here are a few of the topics (in no particular order):
- How the network statement really works in IOS
- Setting up SSH
- Initial commands for sanity sake
- NAT with overload
- Router on a stick
- VRFs Continue Reading
Congratulations to the winners of the CCNA Live Bootcamp.
If your email address is listed below then you will be enrolled into the CCNA Live Bootcamp scheduled to start Monday, August 9th at 9:00 a.m. PDT. You will receive an additional email from your bootcamp coordinator, Marla Horstkotte (firstname.lastname@example.org), confirming your enrollment. You will also receive the recorded version of the bootcamp once it is completed.
The winners are:
A Special Offer From INE
We would like to thank everyone who signed up for the opportunity to win a seat in the upcoming CCNA Live Bootcamp. Due to the overwhelming demand, we would like to extend you an offer to purchase this excellent class for 50% off. Offer is good until Monday, August 9th and includes both the live class and the recorded class-on-demand version. Use discount code LIVECCNA when you purchase the CCNA Live Bootcamp. Even if you are unable to attend the live version of this class, this is a great opportunity to get the class-on-demand for only $247.50!
Looking to pass your CCNA exam? Or you are a CCNP/CCIE candidate looking to get a better understanding of the fundamentals. Starting August 9th at 9:00 a.m., we will be running a live on-line CCNA bootcamp covering both the ICDN1 and ICDN2 exams! More information on this class can be found here.
We will be selecting five lucky winners to attend the live class free of charge. Just sign-up and confirm your email address below. This is a great opportunity to get the best training in the world absolutely free, with no strings attached. We will notify the five lucky winners on Friday, August 6th.
Update: Winners Selected!
Here ye, here ye, VTP experts. (We are not referring to the Vandenberg Test Program, although they are very likely experts in their field as well. )
Can you predict the results of a 3 switch VTP client/server scenario?
SW1-3, are connected, as shown in the diagram.
Here is the initial output of show VTP status, and show VLAN brief on each. Note that SW1 and SW3 are servers, while SW2 is a client. We will be adding a failure to the network in just a moment. Continue Reading
One of our students asked me for a concise example of SNMPv3. James, here you go! This blog has examples and explanations of the features used in SNMPv3.
Older versions of SNMP didn’t provide all the features of SNMPv3. V3 supports a User-based Security Model (USM) for authentication, and a View-based Access Control Model (VACM) to control what that user account may access. Of course the user accounts don’t represent end users, they are just the configuration elements we configure on the SNMP devices, primarily for creating the connection to or from the SNMP device.
With version 3 we may use the following methods:
- noAuthNoPriv: requires username, but no MD5 validation of that user, and no encryption
- authNoPriv: requires username, provides MD5 validation, but no encryption
- authPriv: You guessed it. Requires username, uses MD5 validation, and encrypts too. Continue Reading