Configuring PPP and CHAP

629

CHAPTER 16

Configuring PPP and CHAP

Ex a m o b j e c tives in this chap ter Understanding PPP and CHAP Configuring and Implementing PPP and CHAP on Cisco Routers

630 641

Introduction The CCNA certification exam will test a candidate’s ability to install, configure, operate, and troubleshoot medium-size routed and switched networks, as well as implement and verify connections to remote sites in a wide area network (WAN). Because so many connections around the world rely on modems, cable networks, DSL, T1s and so on, it’s no wonder that the first level of Cisco certification testing would cover two of today’s most widely used protocols and technologies: Point-to-Point Protocol (PPP) and Challenge Handshake Authentication Protocol (CHAP). Most Cisco gear supports such WAN protocols as Integrated Services Digital Network (ISDN), Asynchronous Transfer Mode (ATM), Frame Relay, High Level Data Link Control (HDLC), Serial Line Internet Protocol (SLIP), and X.25, among others. As you will see in this chapter, your use of these technologies will rely heavily on your ability to encapsulate and secure data transmissions. That is where PPP and CHAP come into play. In this chapter, we will cover the fundamentals you need to know for passing the CCNA exam and for configuring routers and WAN connections with PPP and CHAP for remote access solutions. We will also look at how authentication protocols, such as CHAP and Password Authentication Protocol (PAP), work and how they are configured on Cisco devices. Cisco CCNA/CCENT Exam 640-802, 640-822, 640-816 Preparation Kit Copyright © 2009 by Syngress Press. Inc. All rights of reproduction in any form reserved.

629

630 CHAPTER 16: Configuring PPP and CHAP

H ead of the C las s … To Dial or Not to Dial… For the CCNA exam, you should not focus entirely on the older methodology of dial-based connectivity. ­Although dial-up and modem-based solutions are still in use ­today, most WAN-based connections utilize other technologies. The “type” of connectivity is not the focus of the CCNA exam, but the common configurations that

are used generically across all forms of ­connectivity are. For example, you will need to know how to encapsulate with PPP and how to authenticate with CHAP regardless of the WAN medium selected. Today, you can configure PPP on a T1 point-to-point connection, ISDN, and many other types of connections, so make sure you memorize the b ­ asics for the exam.

Understanding PPP and CHAP For the CCNA exam, you will need to know not only what functions both CHAP and PPP perform, but also how to configure these protocols and ultimately troubleshoot the myriad issues that may occur with their use. PPP is a Layer 2 WAN protocol used for basic data encapsulation and transmission across a network. For data transmission between any two nodes (devices or routers), a data path must be established and flow control procedures must be in place to ensure that correct and accurate delivery of data is accomplished. PPP is a data link layer protocol and its basic purpose is to transport network layer packets across a data link layer point-to-point network. It is the most widely used and most popular WAN protocol today because it offers complete control of data link setup, dynamic assignment of Internet Protocol (IP) addresses, network protocol multiplexing, link testing, link configuration, error detection, and negotiation options for network layer address and data compression. PPP uses two authentication protocols: PAP and CHAP. CHAP is preferred over PAP because, to establish identity, CHAP uses a three-way handshake comprising the local host requesting authentication, the remote host sending an encrypted response, and the local host comparing the received information and then accepting or rejecting the connection: PAP uses only a two-way handshake. Also, PAP is less secure than CHAP. With PAP, passwords are sent in clear text, whereas with CHAP they are sent encrypted and secure. Since the requesting of authentication credentials is performed only upon initial link setup and credentials are sent insecurely, PAP is not recommended for use on networks where security is a concern.

OSI Model Fundamentals The Open Systems Interconnection (OSI) model describes how data moves throughout a network from one system to another. To understand the fundamentals of the OSI model, you should know what PPP and CHAP do as

Understanding PPP and CHAP

well as the role the OSI model plays OSI Model and PPP in these protocols. PPP is configured to work at the IPCP, IPXCP Network data link OSI layer and helps data NCP transmission by utilizing a multiprotocol setup via the physical, data link, and network layers of the OSI model. Data Link LCP As shown in Figure 16.1, the OSI model is provided as a backdrop to PPP and how it is mapped into those bottom three layers of the model. Connection and Physical Media PPP plays specific roles at the network, data link, and physical layers of the model. Like most other protoFigure 16.1  Mapping PPP to the OSI cols, PPP operates first, at the physiModel cal layer: Bits are sent across the medium, wire, or link, and devices such as modems function at this layer. One step above the physical layer is the data link layer. As do most protocols that operate at Layer 2, PPP uses Link Control Protocol (LCP) to handle Layer 2 functionality (LCP is the workhorse of PPP and we will cover it in detail in the next section). Meanwhile, Network Control Protocol (NCP) operates solely at Layer 3 and is responsible for the breakdown between network protocol types such as Internet Protocol Control Protocol (IPCP), also covered in detail in the next section. Another reason PPP is one of the most commonly used WAN protocols today is because it supports both synchronous and asynchronous communications. Most computer systems today will use PPP when an option is presented. For example, when configuring a modem (which modulates and demodulates a signal between analog and digital) you will almost always use PPP. Modems operate at Layer 1, but specific transmissions require that upper-layer controls be used. Since PPP supports both synchronous and asynchronous communications, it’s easy to facilitate this need. Synchronous communications are typical for point-to-point lines, whereas asynchronous communications are commonly used on dialed circuits using modems.

Test Day Tip PPP includes the ability to dynamically assign IP addresses to a device on the other end of the PPP link. When you dial into an Internet service provider (ISP) with your modem, the ISP can dynamically assign an IP to a device.

631

632 CHAPTER 16: Configuring PPP and CHAP

Although PPP is a widely used and highly flexible protocol, aside from controlling and managing an encapsulated session, PPP does not provide security. This is where PAP and CHAP add to the equation. Both PAP and CHAP bring added security to the network, but CHAP offers enhanced capabilities over PAP in that CHAP enforces the use of a username and password for gaining access to the network, thereby making it more difficult for malicious parties to conduct an attack. We will discuss both PAP and CHAP in more detail later in the chapter. For now, let’s take a closer look at PPP so that when you begin to configure and/or troubleshoot your connections and Cisco devices, you know which components within PPP to examine and analyze for problems. Exam Warning Make sure for the exam that you understand which protocol maps to which layer. This may not appear as a direct question, but understanding which protocol to troubleshoot to solve a specific problem is important.

Point-to-Point Protocol (PPP) To establish a point-to-point connection, you need a WAN link such as a T1 line which connects two remote sites, you need a termination device that connects the line to a modem or a modem to a router, and you need to configure a protocol. WAN connections are typically not the same from end to end, so it’s important to know how to configure PPP on multiple same or dissimilar connection types. Luckily, the basic configuration for both is simple and common enough for almost all WAN media in use today. To use end-to-end encapsulation (and security) you would configure PPP and CHAP. You can easily connect a site that uses a T1 line to a site that uses a DSL link and use PPP and CHAP without issue. PPP is commonly used to encapsulate a connection on a Transmission Control Protocol/Internet Protocol (TCP/IP) based network through a modem and a telephone line, a router connected to another router, and via other connection methods and media. Although the Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) protocols can be used, this is not common simply because IPX/SPX is generally used only for extreme cases of backward compatibility. Since almost all Novell-based systems have moved to the TCP/ IP protocol suite, you would use this protocol only in cases where you need to accommodate a very old system or network segment that had to support it. PPP is a simple protocol to understand and troubleshoot. Once you break it down into sections and subsections (as we will do next), it is easy to see why it has become the de facto standard in the industry.

Understanding PPP and CHAP

Understanding LCP and NCP PPP, defined in RFC 1661, replaced SLIP because of SLIP’s many deficiencies, among them the fact that SLIP supports only IP and does not allow authentication and dynamic assignment of routed protocols. Unlike SLIP, PPP provides a standard method for transporting multiprotocol datagrams over point-to-point links. PPP is composed of three main components or subsections: ■■

PPP operates on the physical, data link, and network layers of the OSI model. The physical layer is where the link is made and the bits are transported across the connected medium. PPP can encapsulate multiprotocol datagrams over the wire. Here, a frame format for local area network (LAN) protocol multiplexing is chosen and LCP begins to connect.

■■

PPP uses LCP at the data link layer of the OSI model to establish, configure, and test the data link connection for use.

■■

PPP uses NCP at the network layer of the OSI model. NCP is broken down further into multiple protocols. A family of NCPs is used to establish and configure different network layer protocols such as IPX, AppleTalk, and IP. IP in NCP form would be called IPCP as an example.

Test Day Tip Commonly used NCPs are IPCP, Internetwork Packet Exchange Control P ­ rotocol (IPXCP), NetBIOS Frames Control Protocol (NBFCP), and AppleTalk Control ­Protocol (ATCP). The NCP defined for IP, Version 6 (or IPng—Next Generation) is IP Version 6 Control Protocol (IPv6CP).

PPP Frame Format PPP’s frame format is easy to understand if you know how to interpret a frame breakdown, as shown in Figure 16.2. In the figure, you can see the five fields of the frame, along with a start and end flag.

PPP Frame 1 Byte

1 Byte

1 Byte

1–2 Bytes

Variable

2–4 Bytes

1 Byte

Flag

Address

Control

Protocol

Data (and padding)

FCS

Flag

Figure 16.2 Fields of a PPP Frame

633

634 CHAPTER 16: Configuring PPP and CHAP

Here is a breakdown of each field: ■■

Flag The start flag in PPP uses the same format as the start flag in HDLC. It denotes the beginning of the frame, and its value is set at a binary number of 01111110.

■■

Address Because PPP is used for a point-to-point connection, the Address field uses the broadcast address of HDLC, which is 11111111, to avoid the data link address in the protocol.

■■

Control The Control field in PPP uses the same format as the U-frame in HDLC. The value is 11000000 and it is used to show that the frame does not contain sequence numbers, flow control, or error control.

■■

Protocol The Protocol field defines what is being carried in the data field (see Table 16.1 for more information).

■■

Data (and Padding) The Data field carries the user data or NCP packets. This field is sometimes called the Payload field.

■■

FCS The Frame Check Sequence field uses the same format as it does in HDLC. It contains a 2- to 4-byte cyclic redundancy check (CRC).

Table 16.1  PPP Protocol Field Values Protocol Field

Value

0x0021

IP

0x0029

AT

0x002B

IPX

0x003D

Multilink

0x0201

802.1d Hello

0x8021

IPCP

0x8029

ATCP

0x802B

IPXCP

0xC021

LCP

0xC023

PAP

0xC025

LQR

0xC223

CHAP

Understanding PPP and CHAP

■■

Flag Like the start flag, the end flag in PPP uses the same format as the end flag in HDLC. It indicates the end of the PPP frame, and its value is 01111110.

Table 16.1 provides a more detailed list of the values of the Protocol field. Codes found in this table become visible when you debug PPP and CHAP, or if you use a protocol capture and analysis tool to view the data within a PPP or CHAP packet. In the low level debug output, you can see information within the protocol field. PPP provides a standard method for transporting multiprotocol packets over point-to-point links. PPP’s Protocol field can help you troubleshoot issues, especially with upper-layer protocols. Understanding PPP’s phases from link establishment to disconnection is also helpful when trying to understand and troubleshoot your WAN connectivity.

Understanding PPP Phases While establishing the protocol, the PPP link goes through several distinct phases. These phases are specified as Link Dead, Link Establishment, Authentication, Network Layer Protocol configuration, and Link Termination, which then results in the Link Dead phase being repeated. Here is a breakdown of each phase so that you can better understand how the frame is read and how PPP will react based on each phase: ■■

Link Dead (physical layer not ready) phase The link necessarily begins and ends with this phase. When a carrier is detected, PPP moves into the Link Establishment phase.

■■

Link Establishment phase LCP establishes a connection through an exchange of configure packets. As soon as the Protocol field ­contains c021h, PPP moves to the Link Establishment phase. After a Configure-ACK packet is sent and received, the exchange is complete and the LCP Opened state begins. The LCP codes are one byte long. LCP options include Maximum Receive Unit (MRU), which specifies the maximum size of the information transported in bytes within the PPP packet received by the local equipment; and Magic-Number, which can show you a detected loop on a link during negotiation.

■■

Authentication phase By default, authentication is not mandatory. Authentication negotiation occurs during the Link Establishment phase, where only LCP, authentication protocol, and link quality monitoring packets are allowed. The Link Quality Report (LQR) is important to the usability of this phase. Packets are sometimes

635

636 CHAPTER 16: Configuring PPP and CHAP

dropped or corrupted because of noise and equipment problems. LQR helps in monitoring the quality of the PPP link. All other packets received during this phase are discarded. In PAP, one side supplies both a username and a password in clear text to the peer that is authenticating it. In CHAP, one peer challenges the other peer and the peer being challenged must be able to respond with the correct answer to the challenge before passing authentication. The password in CHAP creates the answer to the challenge and is never transmitted across the wire, which makes it inherently more secure than PAP. ■■

Network Layer Protocol configuration phase After the link is established and LCP negotiates optional facilities as needed, PPP must send NCP packets to choose and configure one or more network layer protocols; after configuration, datagrams from each network layer protocol can be sent over the link. The link remains configured for communications until explicit LCP or NCP packets close the link. Each NCP can be opened and closed at any time. After an NCP reaches the opened state, PPP carries the corresponding network layer protocol packets (e.g., IPCP for NCP). Each NCP negotiates its own phase.

■■

Link Termination phase PPP can terminate a link at any time. ­Possible reasons for termination include loss of carrier, authentication failure, link quality failure, expiration of an idle period timer, and the administrative closing of an interface or link. LCP closes a link through an exchange or through terminate packets. While the link is closing, PPP informs the network layer protocols so that they can take appropriate action. Once the link is terminated, the Link Dead phase is reinitialized.

One of the most resource-intensive procedures in PPP negotiation occurs during LCP negotiation. Previously, Cisco IOS created a statically configured number of processes to authenticate calls. Each process handled a single call, but in some situations the limited number of processes could not keep up with the incoming call rate, resulting in some calls timing out. PPP, when used over different technologies such as ISDN, dial-up, and Frame Relay, poses different requirements to ensure interoperability. Since so many types of connections can be used, it’s important to know which connection types PPP can use and how they work together when PPP is configured.

Understanding PPP and CHAP

New & N otewo rthy… The RFCs You Need to Know! For more detailed and in-depth information on PPP, please visit www.ietf.org/ rfc.html and review the following RFC documents: ■■

RFC 1661 The Point-to-Point Protocol

■■

RFC 1638 The PPP Bridging Control Protocol

■■

RFC 1332 The PPP Internet Protocol Control Protocol

■■

RFC 1377 The PPP OSI Network Layer Control Protocol

■■

RFC 1552 The PPP Internetwork Packet Exchange Control Protocol

■■

RFC 1618 PPP and ISDN

■■

RFC 1662 PPP in Holding Framing

■■

RFC 1994 PPP CHAP

■■

RFC 1990 Multilink PPP

■■

RFC 1570 PPP LCP Extensions

The most common connection type that PPP uses is the Internet. PPP addresses problems of Internet connectivity by employing three main components: ■■

HDLC as a basis for encapsulating datagrams over point-to-point links

■■

LCP for setting up, configuring, and testing the data link connection

■■

NCP for establishing and configuring different network layer protocols (PPP is designed to allow the simultaneous use of multiple network layer protocols, among them IPv4 and v6, IPX, and AppleTalk)

Exam Warning Make sure you know the difference between IPCP and IPv6CP. Since IPv6 is ­becoming more prevalent in today’s networks, it’s important to know when PPP’s NCP IPv6CP would be used.

To get a better understanding of how PPP works, you can view the output from a debug command. Later in this chapter we will look at the commands used for PPP and CHAP debugging in more depth, but for now let’s

637

638 CHAPTER 16: Configuring PPP and CHAP

go through the steps of performing a debug and view how the PPP phases work (see Exercise 16.1). For the exam, it’s important to understand not only the packet’s header structure, but also know how to read data within the packet. Test Day Tip For the CCNA exam, you will need to know how to turn on debugging and use the resultant output to solve problems. You will also need to know that turning on debugging will take up router or switch resources; therefore, it’s recommended that you use commands carefully as some impact the router more intensely than others. You should always schedule the use of most if not all debug commands, and make sure you understand how each command impacts the device, especially if it is ­running on a production network.

EXERCISE 16.1  Debugging and Viewing PPP Negotiations

1. Log on to Router A and turn on debugging by using the debug ppp negotiation command: RouterA#debug ppp negotiation PPP protocol negotiation debugging is on RouterA#



2. View the sample output on the router’s console. As you can see, the debug process has been turned on and you will be able to view output based on PPP protocol negotiation. RouterA# *Feb 1 00:08:16.541: BR0:1 PPP: Treating connection as a callin *Feb  1 00:08:16.552: BR0:1 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 0 load]



3. Next, once the ISDN connection becomes active, the BRI link in the ­debug shows PPP establishing a link. Since Link Establishment is processing, it’s important to know that LCP will begin its process within PPP. This is common throughout most if not all PPP-based connections. RouterA# *Feb  1 00:08:16.669: BR0:1 LCP: State is Listen *Feb  1 00:08:17.034: BR0:1 LCP: I CONFREQ [Listen] id 7 len 17

Understanding PPP and CHAP



4. Next, once LCP begins its process, you can view the authentication starting up using PAP. RouterA# *Feb 1 00:06:17.038: BR0:1 LCP: AuthProto PAP (0x0304C023) <-Output Omitted->

The process continues throughout the remaining phases. In the end, the NCPs will be configured for use. Viewing the debug sequence, you can get an idea about how PPP operates and how LCP and NCP Authentication is used in the process. As you can see, PPP is easy to understand and troubleshoot. This is also why understanding how to troubleshoot while using the OSI model is important. Knowing which protocol maps to which layers is equally as important while running debug commands and troubleshooting output on multiple routers configured to connect branch offices to a company’s main data center. It helps to understand which layers are affected and which protocols are in operation so that you can determine where a problem is occurring.

Test Day Tip PPP operates on Layer 1 of the OSI model. PPP can operate on a variety of Data Terminal Equipment/Data Circuit-Terminating Equipment (DTE/DCE) physical interfaces, including asynchronous serial, synchronous serial, High Speed Serial Interface (HSSI), and ISDN.

Challenge Handshake Authentication Protocol (CHAP) It’s easy to authenticate for connectivity between two PPP-based devices. With PPP, you can authenticate using either PAP or CHAP. As mentioned earlier, CHAP is the preferred protocol, because CHAP uses a three-way handshake, whereas PAP uses only a two-way handshake (see Figure 16.3). As you can see in Figure 16.3, when CHAP is used over a WAN connection the router receiving the connection sends a challenge which includes a random number. This random number is input into a Message Digest (MD5) authentication algorithm to provide an encryption key. This key is then used to send authentication information between Routers 1 and 2. Since CHAP uses encryption and has a verification mechanism in place, it is inherently secure.

639

640 CHAPTER 16: Configuring PPP and CHAP

Figure 16.3 Using CHAP

CHAP WAN

Router 1 Name–router 1 Password–password 1

Challenge Response

Router 2 Name–router 2 Password–password 2

Accept or Reject

Test Day Tip Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is nearly identical to CHAP in terms of how it operates. The main difference between the two is that Microsoft’s proprietary version of CHAP is not an open standard. You will not be tested on MS-CHAP on the CCNA exam. However, you should know about its use and its proprietary nature. CHAP and PAP are open standards-based protocols. RFC 2759 covers Microsoft PPP CHAP Extensions, Version 2, in detail.

Password Authentication Protocol (PAP) PAP is a protocol used for the basic authentication purposes of a WAN connection. When PAP is used over a WAN connection, the dialing router transmits username and password information in clear text (i.e., without encryption). In Figure 16.4, PAP is using its two-way handshake to send credentials in clear text from Router 1 to Router 2; Router 2 then either accepts or rejects the attempt. Exam Warning PAP is not as secure as CHAP. Always use CHAP when available to increase you security posture. For the exam, make sure you know how to configure CHAP with PPP. Also, know how to spot misconfiguration, as this is likely why you will have an authentication problem.

Unlike with PAP, when CHAP is used over a WAN connection the router receiving the connection sends a challenge which includes a random number that is later input into the MD5 hash algorithm, as noted in the preceding section. For this reason, CHAP is preferred over PAP for network connectivity.

Configuring and Implementing PPP and CHAP on Cisco Routers

Figure 16.4 Viewing PAP

PAP WAN

Router 1 Name–router 1 Password–password 1

Credentials sent in cleartext

Router 2 Name–router 2 Password–password 2

Accept or Reject

Test Day Tip The MD5 algorithm can add a secure layer of encryption to your data transmissions. MD5 uses a hash function. The hash value is 128 bits and is commonly seen as a 32-digit hexadecimal number. You can learn more about MD5 in RFC 1321.

Configuring and Implementing PPP and CHAP on Cisco Routers To configure PPP, first you must understand what type of connection you are making. A network diagram can help. Note For the CCNA exam, you will need to know how to configure PPP and CHAP/PAP on a Cisco router. For example, you may be presented with a question that shows two routers trying to connect over a WAN. You may need to either verify a particular configuration statement to rule out whether PPP or CHAP is suffering from a misconfiguration, or simply configure it from scratch on an interface at the command line. Not knowing the most basic commands and how to troubleshoot the resultant output will be a serious problem during the test. You will also have to determine the correct answers of misleading questions in which PPP is not the issue, but rather CHAP is, and vice versa.

Figure 16.5 shows a common connection with PPP and CHAP in use. Regardless of the WAN connection type (it could be a simple point-to-point T1 connection) it’s imperative that you know the steps to configure PPP and CHAP.

641

642 CHAPTER 16: Configuring PPP and CHAP

Figure 16.5 PPP and CHAP Sample Configuration

DCE

DTE S0/0 S0/0 WAN

Router A hostname RouterA username RouterB password cisco 123 interface serial0/0 clockrate 64000 ip address 192.168.1.130.255.255.255.252 encapsulation ppp ppp authentication chap

Router B hostname RouterB username RouterA password cisco 123 interface serial0/0 ip address 192.168.1.129.255.255.255.252 encapsulation ppp ppp authentication chap

In Figure 16.5, it’s clear that to configure PPP correctly you must configure an encapsulation statement on the interface and a username and password as a global command statement. This means you will need to configure PPP and CHAP within Interface Configuration mode and the username and password in Configure Terminal mode. In Exercise 16.2, you will configure PPP and CHAP on two Cisco routers.

EXERCISE 16.2  Configuring PPP and CHAP on CISCO Routers For this exercise, let’s assume you have two routers, Router C and Router D, and that both need PPP and authentication such as PAP or CHAP. To specify the password to be used in CHAP or PAP caller identification, perform the following task in Global Configuration mode (this is where you will add your credential set):

1. Log on to Router C and configure the Serial 0/0 interface with an IP address of 10.1.1.1 and a mask of 255.255.255.252, PPP encapsulation, and CHAP authentication: RouterC# conf t RouterC(config)# interface s0/0 RouterC(config-if)#ip address 10.1.1.1 255.255.255.252 RouterC(config-if)#encapsulation ppp RouterC(config-if)#ppp authentication chap RouterC(config-if)#exit



2. Configure a credential set. Configure a username (which is the router you want to connect to, Router D in this example) and a password of pswd123.

Configuring and Implementing PPP and CHAP on Cisco Routers

RouterC(config)#username RouterD password pswd123 RouterC(config)#exit



3. Configure PPP and CHAP on Router D via the following ­commands: RouterD# conf t RouterD(config)# interface s0/0 RouterD(config-if)#ip address 10.1.1.2 255.255.255.252 RouterD(config-if)#encapsulation ppp RouterD(config-if)#ppp authentication chap RouterD(config-if)#exit RouterD(config)#username RouterC password pswd123 RouterD(config)#exit



4. To configure an alternative interface on Router C for PPP and PAP, type the following at the prompt: RouterC# conf t RouterC(config)# interface s0/1 RouterC(config-if)#ip address 10.1.1.3 255.255.255.252 RouterC(config-if)#encapsulation ppp RouterC(config-if)#ppp authentication pap RouterC(config-if)#exit RouterC(config)#ppp pap sent-username RouterE password pswd123 RouterC(config)#exit RouterC# wr mem



5. Save the configuration and test all the interfaces to make sure your network can pass traffic without any issues.

PAP requires one extra configuration step. When you’re doing two-way authentication you must not forget to add the ppp pap sent-username username password password command. If this command is not present on the receiving router and the PPP client attempts to force the server to authenticate remotely, the request for PAP credentials will fail. You can find the failure results in the debug ppp negotiations output. Here is what the Serial 0/0 or 0/1 interface would look like if you chose to configure CHAP or PAP: RouterC# show interface serial0/0 interface serial0/0 ip address 10.1.1.1 255.255.255.252 encapsulation ppp ppp authentication chap RouterC# show interface serial0/1

643

644 CHAPTER 16: Configuring PPP and CHAP

interface serial0/1 ip address 10.1.1.2 255.255.255.252 encapsulation ppp ppp authentication pap <-Output Omitted->

Remember when configuring CHAP that you must add a username entry for each remote system from which the local router requires authentication. If you forget this step, you will not have a functioning PPP and CHAP connection. Exam Warning You will be tested on PPP and CHAP thoroughly in the CCNA exam, albeit perhaps not directly. It’s imperative that you know when to use PPP and CHAP, especially when presented with different types of WAN connection methods. For simulationbased questions, you will need to know the basic IOS commands from memory and how, when, and where to apply them.

Troubleshooting PPP and CHAP Troubleshooting any network problem can be tricky. Luckily, with PPP you do not have too much data to weed through to find a problem, and if you know how to use the correct debugging commands, you will likely be able to solve just about any PPP (or CHAP) based problem quickly. As mentioned earlier, PPP goes through the five phases of Link Dead, Link Establishment, Authentication, Network Layer Protocol configuration, and Link Termination when transporting multiprotocol packets over pointto-point links. For practical purposes, most network technicians often consider PPP as a four-phase protocol because in the Link Dead phase, PPP remains stagnant until activity occurs; as such, in this phase, there really is nothing to troubleshoot. Once you have an active link, however, the following four phases occur in LCP, which PPP uses to handle Layer 2 functionality. Knowing how to troubleshoot each phase separately will help you understand how to isolate PPP-related issues. ■■

Link Establishment phase This phase establishes the link.

■■

Link Quality Determination phase The phase makes sure you have good link quality to transmit data.

Configuring and Implementing PPP and CHAP on Cisco Routers

■■

Network Layer Protocol Configuration Negotiation phase This phase correctly utilizes a network layer protocol for upper-layer transmission.

■■

Link Termination phase This phase cuts off the connection and returns the link to the Link Dead phase.

Having a solid understanding of these phases will truly help when you begin the debugging process. In your debug output you will find very lowlevel information that will seem cryptic unless you know how PPP operates through these phases. When troubleshooting PPP you will find that you can isolate many problems to the first three layers of the OSI model (the physical, data link, and network layer connections). For example, it is common to have a problem with the link itself. Many times the link becomes inactive, and this is why you do not have end-to-end connectivity. If you do have a reliable link, the next issue could be either at the data link or the network layer. Since LCP works at the data link layer and NCP at the network layer, it’s easy to isolate from debug output which of these is the culprit. An LCP or NCP connection can be terminated due to the following situations: ■■

On administrative closing of the interface (this concerns LCP only)

■■

When a subfunction fails, such as a physical failure causing LCP and NCP to fail, or LCP causing NCP to fail

■■

When negotiations fall through or do not become established

■■

On line loop detection, which is also a common Telco-related issue

When a link is terminated, it will lock up your device while the protocols try to renegotiate the connection.

Exam Warning If you want to check PPP negotiation between two peers, you must first ensure that the lower-level functions are working correctly. If your WAN link is configured as an ISDN circuit, you must know how to test all layers of the ISDN before you begin to test PPP, as ISDN functions at the physical layer. You cannot start your tests on PPP until you have checked all of the ISDN services, such as the physical interface, the dial-up connection, and any termination devices.

645

646 CHAPTER 16: Configuring PPP and CHAP

Your first step in troubleshooting should be to use the basic show commands. To view PPP on an interface, you simply need to show the interface via the show interface command: RouterA#show interface serial0/0 Serial0 is up, line protocol is up Hardware is HD64570 Internet address is 192.168.1.10/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) LCP Open Listen: IPCP Open: IPCP, CDPCP Last input 00:00:09, output 00:00:12, output hang never Last clearing of “show interface” counters never Input queue: 0/75/0 (size/max/drops); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations  0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1921 packets input, 136287 bytes, 0 no buffer Received 1301 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 2165 packets output, 100238 bytes, 0 underruns 0 output errors, 0 collisions, 220 interface resets 0 output buffer failures, 0 output buffers swapped out 279 carrier transitions DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Note in the preceding code how the encapsulation type is set to PPP when viewing the Serial 0/0 interface; also note that LCP is open to IPCP and CDPCP (and that it is listening for IPXCP). By viewing this configuration, you can see whether you have misconfigured anything. Exam Warning For the CCNA exam, you will need to know how to look at configurations, interfaces, and debug output primarily to find problems relating to PPP and CHAP.

Configuring and Implementing PPP and CHAP on Cisco Routers

Debugging PPP Using the debugging command-line tool in IOS can be very helpful when trying to find the cause of a problem. You should always be careful when debugging a device. You also need to know how to configure the router to be able to receive and/or manipulate the output from a debug session. When configuring debugging on a Cisco device, you should remember that by default, all debug messages will go to the console and will not be sent to any log. Also, if your console buffer is too small or your log is set to Small, you may not capture all the information you need to see. To log debug output to the system log you need to use the logging buffered command in Global Configuration mode. The show logging command will show you the status. You can then use the terminal monitor command if you need to see your debug output in a Telnet session. When debugging, you will want to set the command to enable millisecond-based timestamps on the router within which you are working, for increased accuracy. To do this, simply run the service timestamp debug datetime command with the msec option: RouterA(config)# service timestamp debug datetime msec

Once the router is configured to check for milliseconds you can turn on debugging to check for output. To debug PPP and CHAP authentication (or another authentication protocol), issue the following command: RouterA# debug ppp authentication

Once you issue debug ppp authentication you will see the following output if ISDN is configured on BRI0/0: RouterA#debug ppp authentication 01:10:30: %LINK-3-UPDOWN: interface BRI0/0:1, changed state to up 01:10:30: BRI0/0:1 PPP: using dialer call direction 01:10:30: BRI0/0:1 PPP: treating connection as callin 01:10:30: BRI0/0:1 CHAP: 0 CHALLENGE id 10 len 24 from ‘RouterB’ 01:10:30: BRI0/0:1 CHAP: 1 CHALLENGE id 10 len 23 from ‘RouterA’ 01:10:30: BRI0/0:1 CHAP: waiting for peer to authenticate first 01:10:30: BRI0/0:1 CHAP: 1 RESPONSE id 10 len 24 from ‘RouterA’ 01:10:30: BRI0/0:1 CHAP: unable to validate response, username RouterB not found

647

648 CHAPTER 16: Configuring PPP and CHAP

01:10:30: BRI0/0:1 CHAP: 0 FAILURE id 10 len 27 msg is ‘authentication failure’ ­ 01:10:30: BRI0/0:1 %ISDN-6-CONNECT: interface BRI0/0:1, is now connected to unknown 01:10:30: %LINK-3-UPDOWN: interface BRI0/0:1, changed state to down <-Output Omitted->

This is the output of the preceding network configuration where Router A and Router B are two network segments connected via an ISDN link. When troubleshooting connectivity issues between two routers on a network using ISDN, as mentioned earlier, you should ensure that all lower-layer ISDN functionality is up and running. Remember that you can use the debug isdn events command to test all ISDN-related functionality. To be more specific, you can always use the Layer 2-related debug isdn q921 or the Layer 3-related debug isdn q931 command. The debug dialer events command will give you information regarding initiated and/or disconnected calls. It’s important to know the status of the WAN protocol before moving to PPP or PPP-based authentication protocols such as CHAP and PAP. ISDN was created for the purpose of enabling voice, video, and data over links, as the Plain Old Telephone System (POTS) had no capacity for video and very little for data. The B channel has a capacity for 64 kilobits per second (Kbps) and with two B channels a combined bandwidth value of 128 Kbps. The B channel is for sending data and it uses either the PPP or HDLC encapsulation method. The CCNA exam will center on the use of PPP for B channel encapsulation. It is important to note, however, that HDLC is also a valid choice. The D channel has a standard capacity of 16 Kbps, but different vendors implement a capacity as high as 64 Kbps. The D channel utilizes Link Access Procedure D (LAPD) for its protocol, and not the PPP or HDLC encapsulation method used over B channels.

Test Day Tip The LAPD protocol operates at Layer 2 of the OSI model. This protocol is defined in CCITT Q.920/921. In this way, LAPD works in Asynchronous Balanced Mode (ABM). ABM is used for error recovery. LAPD is an important part of ISDN to help it remain stable.

Now, let’s configure a debug for authentication, since you know that ISDN is okay and the lower levels of PPP are functioning properly. Once you enter

Configuring and Implementing PPP and CHAP on Cisco Routers

LAN IP–192.168.10.0/24

LAN IP–192.168.20.0/24

ISDN

BRI 0/0

BRI 0/0 WAN Router A

Router B

the debug ppp authentication command on Router B, as shown in Figure 16.6, you will find the source of your issue. If you carefully examine the debug generated by the global debug PPP authentication command, you will see that Routers A and B can communicate over the WAN link, and that when authentication begins there is an issue with  Router B’s username and password. This was found from Router B’s output. Exam Warning For the exam, you must know how to use debug commands to solve issues. Obviously, the lab scenario on the exam will be limited to some degree, but you will be able to use many troubleshooting commands to help solve problems. You will also be given problems which require in-depth knowledge of specific debug commands and their associated output.

To debug PPP and CHAP, you need to be familiar with commonly used debug commands. For instance, you would use the debug ppp negotiations command to troubleshoot and resolve issues with LCP communications between peers. This command will display PPP packets transmitted during PPP startup where PPP options are first negotiated. RouterA# debug ppp negotations

You can also use the debug ppp packet command, which will display the PPP packets that were sent and received, and when this occurred. (This is why you should know how to set your router in milliseconds, so you can decipher fine details during troubleshooting.) The debug ppp packet command also displays low-level packet dumps. To debug PPP packets you can use the EXEC based command: RouterA# debug ppp packet

You would use the debug ppp errors command to display output relating to protocol errors that occur while in the connection negotiation and operation

Figure 16.6 Debugging an ISDN Link

649

650 CHAPTER 16: Configuring PPP and CHAP

phases. Protocol errors will be shown in detail. To debug PPP errors you can use the EXEC based command: RouterA# debug ppp errors

The debug ppp chap command will display CHAP and PAP packet exchanges between peers. This is helpful in determining whether your peers have a misconfiguration. RouterA# debug ppp chap

Test Day Tip All debug commands are run in Global Configuration mode, not Interface Configuration mode.

Remember that when using debug commands you need to be careful about your environment and any adverse affects the debug may have on the environment. Use debugs with care in a production environment.

Exam Warning Always make sure that when you use a debug command you do not cause a device to lock up or crash. Debugging usually taxes a system’s resources heavily, so, for example, if you wanted to run a debug on a virtual private network (VPN) router ­doing software-based encryption via the command debug ip packet, you could freeze the system and lose access to it, thereby requiring a reboot or restart to ­unlock it. Use a debug command only when you know that doing so you will not cause problems; or if possible, conduct your debug session during off hours or ­during hours of inactivity. Use no debug all to turn off debugging.

Summary of Exam Objectives The Cisco CCNA exam will check a candidate’s ability to install, configure, operate, and troubleshoot medium-size routed and switched networks, as well as implement and verify connections to remote sites in a WAN. Because so many connections are made across the world based on modems, cable networks, DSL, T1’s and so on, it’s no wonder that the first level of Cisco certification testing would cover the most widely used protocols and technologies in use today such as PPP and CHAP. WAN protocols supported by most Cisco gear include Integrated Services Digital Network (ISDN), Asynchronous Transfer Mode (ATM), Frame Relay, High-Level Data Link Control

Summary of Exam Objectives

(HDLC), Serial Line Internet Protocol (SLIP), X.25, and others. As you will soon see, using these technologies (such as ISDN) will rely heavily on your ability to encapsulate and secure data transmissions. That is where PPP and CHAP come into play. In this chapter, we covered the fundamentals you need to know to pass the CCNA exam and to configure routers and WAN connections with PPP and CHAP for remote access solutions. Specifically, you learned about the differences between PPP and SLIP, its predecessor, in terms of their benefits as well as how they operate. Pointto-Point Protocol (PPP) is just one method of connecting a computer to a remote network. PPP is a point-to-point WAN protocol that works at the Data Link layer of the OSI Model. PPP is more stable than SLIP and has error checking features included. It also operates using different Network layer protocols (such as IPX from the IPX/SPX protocol suite and AppleTalk as examples) whereas SLIP only uses TCP/IP based IP. PPP (as well as SLIP) will encapsulate a datagram and other Network layer protocol information over point-to-point links. PPP will also function better than the older SLIP due to its subdivision into phases. When PPP is used on a link, it will negotiate with the other side of the link. PPP negotiation consists of three phases, which are Link Control Protocol (LCP), Authentication, and Network Control Protocol (NCP). PPP can operate on a variety of DTE/DCE physical interfaces, including asynchronous serial, synchronous serial, HSSI, and ISDN. You also learned about encapsulation and authentication, and we discussed the differences between CHAP and PAP in this regard. Because connecting up networks (especially over the Internet) can be very unsecure, authentication is needed for security purposes and this is where CHAP (Challenge ­Handshake Authentication Protocol) comes into play. When CHAP (or PAP) is used, credentials are transmitted with or without encryption from the sending side. When CHAP is used, a challenge which includes a random number is sent for added security. This random number is input into an MD5 algorithm to provide the encryption key with which to send authentication information between routers thus providing end to end encryption. CHAP uses encryption whereas PAP does not and offers no form of security that can be trusted. CHAP uses a 3-way handshake. This handshake is made up of the local host requesting authentication, the remote host sending an encrypted response, and the local host comparing the received information and then accepting or rejecting the connection. PAP only uses a 2-way handshake and is much less secure We rounded out the chapter with exercises that took you through the steps of debugging and viewing PPP negotiations, as well as configuring and implementing PPP and CHAP on Cisco routers.

651

652 CHAPTER 16: Configuring PPP and CHAP

Exam Objectives Fast Track Understanding PPP and CHAP ■■

PPP is a point-to-point WAN protocol that works at the data link layer of the OSI model. PPP is more stable than SLIP and includes error-checking features.

■■

PPP can operate on a variety of DTE/DCE physical interfaces, including asynchronous serial, synchronous serial, HSSI, and ISDN.

■■

When PPP is used on a link, it will negotiate with the other side of the link. PPP negotiation consists of three phases: LCP, Authentication, and NCP.

■■

PPP uses LCP to set up, configure, and test a data link connection.

■■

PPP uses NCP to establish and configure different network layer protocols. PPP is designed to allow the simultaneous use of multiple network layer protocols, including IPv4 and v6, IPX, and AppleTalk.

■■

PPP operates using different network layer protocols (e.g., IPX and AppleTalk), whereas SLIP uses only TCP/IP-based IP. PPP and SLIP will encapsulate a datagram and other network layer protocol information over point-to-point links. These are called NCPs.

■■

The phases of PPP are Link Dead, Link Establishment, Authentication, Network Layer Protocol, and Link Termination, at which point the Link Dead phase is initiated again.

■■

PPP uses HDLC as a basis for encapsulating datagrams over point-topoint links.

■■

PAP is the older of the two PPP authentication protocols. It has major security flaws, including the sending of passwords in clear text and allowing a client to choose when it sends a password.

■■

When CHAP is used over a WAN connection, the router receiving the connection sends a challenge which includes a random number that can be input into an MD5 hash algorithm. MD5 hashing and server control is a function of CHAP.

■■

CHAP uses a three-way handshake comprising the local host requesting authentication, the remote host sending an encrypted response, and the local host comparing the received information and then

Exam Objectives Frequently Asked Questions

accepting or rejecting the connection. PAP only uses a two-way ­handshake and is much less secure. ■■

MS-CHAP is nearly identical to CHAP in terms of how it operates. The main difference between the two is that MS-CHAP is Microsoft’s proprietary version of CHAP and is not an open standard. You will not be tested on MS-CHAP on the CCNA exam directly, but you should know about its use and its proprietary nature.

■■

CHAP and PAP are open standards-based protocols.

Configuring and Implementing PPP and CHAP on Cisco Routers ■■

You use the show interface command to verify the current state of PPP LCP negotiations.

■■

You use the debug ppp negotiations command to troubleshoot and resolve issues with LCP communications between peers. This command will display PPP packets transmitted during PPP startup where PPP options are first negotiated.

■■

You use the debug ppp packet command to display the PPP packets that are being sent and received, and when this occurs. This command also displays low-level packet dumps.

■■

You use the debug ppp errors command to display output relating to protocol errors that occur while in the connection negotiation and operation phases. Protocol errors are shown in detail.

■■

You use the debug ppp chap command to display CHAP and PAP packet exchanges between peers. This is helpful in determining whether your peers have a misconfiguration.

■■

You use the debug ppp authentication command to troubleshoot and resolve issues with authentication attempts using protocols such as CHAP and PAP.

Exam Objectives Frequently Asked Questions Q: For the exam, should I know what multilink PPP is and how it works?

A: Yes, you should be familiar with multilink PPP for the exam. Specifically, you must understand how PPP operates; if you know how

653

654 CHAPTER 16: Configuring PPP and CHAP

PPP works, all you have to remember is that with multilink, you are b ­ asically using PPP across a type of WAN-based network with multiple links such as Frame Relay and/or ISDN. Multilink PPP (also known as MLP) is defined in RFC 1990 and is used to combine multiple WAN links into a single logical channel that is sometimes referred to as a bundle when describing ISDN channels. Using MLP will allow for load-balancing of traffic from multiple links as well as providing link redundancy. Q: For the exam, will I need to know about Dial-on-Demand Routing (DDR)?

A: Yes. For the exam, you will need to know that multilink PPP is configured along with ISDN to establish DDR. DDR will provide a significant savings in cost over point-to-point links that are always available. ISDN BRI or PRI rate interfaces can be bundled with MLP to provide connectivity when needed.

Q: Can I configure PPP to use both CHAP and PAP?

A: Yes, you can configure PPP to use both CHAP and PAP authentication methods. However, the other device must not return a CHAP response. If CHAP returns a reject response, PAP will not be used.

Q: Does PPP debugging eat up so many router and/or switch resources that I will not be able to test it in a production scenario?

A: No, you can test PPP while running production routers or switches. However, if the network device on which you wish to run tests is relied on or performs a critical function, using it for this purpose may impact its performance. Therefore, before running a debug command, you should know the model of the device so that you can see whether offloaded hardware is processing specific functions. You should also know how much memory or CPU power the device has, what functions it performs, and what protocols are running and in use. Also, consider the use of the device. Is it a crucial router that is already overtaxed with work? Use caution in every scenario and you will avoid problems while testing.

Q: How secure are the authentication protocols, and can I rely on them for my network?

A: As a network engineer, you will always have to wear the secondary hat of “security analyst.” Network engineer also implies security engineering, so it’s recommended that while studying to become a

Self Test

CCNA, you consider security every step of the way. It’s also ­implied that anything released by Cisco, or any other vendor, is fair game for malicious hackers. Every IOS release for the past few years has grown exponentially in terms of security options. When working with any authentication protocol (or any protocol in general) you should always consider that it can easily be hacked. As such, you should stay on top of the Cisco updates that are released, code ­release caveat statements, code-based security updates, and security news.

Self Test

1. You are a Cisco engineer assigned to configure a WAN connection for a company. You are configuring the WAN connection utilizing PPP. When using PPP, it’s important to understand the underlying protocols used to facilitate processes such as link setup and, eventually, teardown of the circuit, link, or line. In PPP, which underlying protocol is responsible for establishing and configuring as well as testing, maintaining, and terminating PPP WAN-based connections? (Choose all that apply.) A. NCP C. CDP B. LCP D. X.25



2. As a network consultant, you are asked to set up a secure way to connect a WAN link utilizing PPP. Which of the following statements regarding PPP authentication protocols is true? (Choose all that apply.) A. When CHAP is used over a WAN connection, the username and password are sent by the dialing router without encryption. B. When PAP is used over a WAN connection, the username and password are sent by the dialing router with encryption. C. When CHAP is used over a WAN connection, the username and password are sent by the dialing router with encryption. D. When PAP is used over a WAN connection, the username and password are sent by the dialing router without encryption.



3. Which of the following PPP sublayers is responsible for all of PPP’s network layer protocol negotiations? A. IPCP C. X.25 B. LCP D. NCP

655

656 CHAPTER 16: Configuring PPP and CHAP



4. What verification command can show the current state of the PPP LCP? A. The debug NCPLCP command is used to verify the current state of PPP LCP negotiations. B. The test-network command is used to verify the current state of PPP LCP negotiations. C. The show interface command is used to verify the current state of PPP LCP negotiations. D. The show network-status command is used to verify the current state of PPP LCP negotiations.



5. As a new Cisco engineer, you are configuring a set of routers using PPP. You need to configure CHAP authentication. What Cisco IOS configuration mode is used when enabling PPP authentication? A. Interface Configuration mode B. Global Configuration mode C. PPP Configuration mode D. Authentication Configuration mode E. CHAP Configuration mode



6. Which of the following best describes the inherent problems of PPP using PAP during the LCP phase? A. PAP enables the client to control the authentication attempt. B. PAP will send the transmission across the wire unauthenticated. C. PAP during the LCP phase will send out Hello packets to find the adjacent router. D. PAP will use CHAP for its authentication and the handoff is ­unsafe.



7. You are a network engineer looking to implement security on your network. Your WAN router is connected to two other routers on the other side of the world. You need to secure these three routers correctly. You would like to use a secure function of PPP to authenticate each device. A three-way handshake is preferred over a two-way handshake in terms of authentication methods available. Which PPP authentication protocol uses a three-way handshake and thus is the one you should configure on all of your network routers? A. NCP C. PAP B. CHAP D. LCP

Self Test



8. You are a network engineer trying to resolve a particularly difficult authentication problem. You are investigating the routers involved and are using debug commands. While troubleshooting, you try to find where authentication failures are taking place within PPP. Which protocol should you analyze to find the source of the issue? A. PPPoE B. LCP C. IPCP



D. CDPCD E. CDP

9. You are a Cisco engineer troubleshooting a PPP-based connectivity ­issue on an IPv6-based network. The routers were taken from an older IPv4 network and were installed on the one you are testing. You check that IPv4 is currently in use on the router and that PPP is configured. You find that you cannot communicate across your ­network. From the answers given, what is the reason you are not ­getting your routers to connect? A. You need to configure the correct NCP, which is IPv6CP. If you do not configure IPv6 on your routers, they will not be able to communicate over the network. B. You need to configure the correct LCP, which is IPv6CP. If you do not configure IPv6 on your routers, they will not be able to communicate over the network. C. You need to configure the correct NCP, which is IPv4CP. If you do not configure IPv6 on your routers, they will not be able to communicate over the network. D. You need to configure the correct LCP, which is IPNGCP. If you do not configure IPv6 on your routers, they will not be able to communicate over the network.

10. While configuring a network router, you need to find an interface in which to configure PPP for WAN communications among three ­separate routers. From the answers given, which interface type can you use to configure PPP? (Select all that apply.) A. Synchronous serial D. HSSI B. Asynchronous serial E. ISDN C. LMI

657

658 CHAPTER 16: Configuring PPP and CHAP

11. As a network analyst, you are working on a solution for configuring PPP, and you are connecting one TCP/IP-based network to another TCP/IP-based network. You will need to communicate between both networks using IP. Which of the following statements regarding the PPP NCP-based IPCP protocol is true? (Choose all that apply.) A. IPCP will pass WINS and DNS information. B. IPCP will pass NDS information. C. IPCP will handle compression. D. You will need to use IPCP for address assignment. 12. You are troubleshooting a WAN-based problem for your company. You want to configure an interface protocol that will allow error correction. From the answers given, which protocol listed will not provide error-correction features? A. SDLC C. PPP B. HDLC D. LAPD 13. While solving an issue on a PPP-based connection, you notice that you do not have the correct encapsulation type on a particular interface on a troubled router. If Router A has a serial interface you would like to configure with DDR, what protocol choice given should be configured? (Choose only one answer.) A. HDLC C. X.25 B. SDLC D. PPP 14. While working as a Cisco engineer, you are assigned to help resolve an ISDN network design issue. You are not sure whether you should use PPP on the B channels. From the list of answers given, which answer provides the correct design for the solution needed? A. You should use PPP for the B channels and LAPD for the D ­channel. B. You should use HDLC for the B channels and PPP for the D channel. C. You should use CDP for the B channels and LAPD for the D channel. D. You should use PPP for the B channels and HDLC for the D channel. E. You should use LAPD for the B channels and HDLC for the D channel.

Self Test

15. You are a consultant working on a new network rollout. You have three Cisco routers that will be connected together over a WAN. You need to use a protocol on the connected interfaces on each router. From the list of options, which answer clearly defines which protocol is used on Cisco-based hardware by default? A. PPP B. HDLC C. LAPB

D. CDP E. SLIP

16. You are a Cisco engineer troubleshooting a connectivity issue between two routers in a new network design. You enter the debug ppp authentication command on the Router B router. Based on the graphic in Figure 16.7 and, beneath that, the output received from the router, what’s the most likely cause of this connectivity issue? LAN IP–192.168.10.0/24

LAN IP–192.168.20.0/24

ISDN

BRI 0/0

BRI 0/0 WAN Router A

Router B

RouterA#debug ppp authentication 01:10:30: %LINK-3-UPDOWN: interface BRI0/0:1, changed state to up 01:10:30: BRI0/0:1 PPP: using dialer call direction 01:10:30: BRI0/0:1 PPP: treating connection as callin 01:10:30: BRI0/0:1 CHAP: 0 CHALLENGE id 10 len 24 from ‘RouterB’ 01:10:30: BRI0/0:1 CHAP: 1 CHALLENGE id 10 len 23 from ‘RouterA’ 01:10:30: BRI0/0:1 CHAP: waiting for peer to authenticate first 01:10:30: BRI0/0:1 CHAP: 1 RESPONSE id 10 len 24 from ‘RouterA’ 01:10:30: BRI0/0:1 CHAP: unable to validate response, ­ username RouterB not found

Figure 16.7 Debugging an ISDN Link

659

660 CHAPTER 16: Configuring PPP and CHAP

01:10:30: BRI0/0:1 CHAP: 0 FAILURE id 10 len 27 msg is ‘authentication failure’ ­ 01:10:30: BRI0/0:1 %ISDN-6-CONNECT: interface BRI0/0:1, is now connected to unknown 01:10:30: %LINK-3-UPDOWN: interface BRI0/0:1, changed state to down <-output omitted->

A. Router A has only PAP configured. B. The username and password are not properly configured on the Router B router. C. You cannot connect two BRI interfaces together in this manner without using ISDN B channels. D. Currently, your ISDN circuit is no longer available and is causing peers to drop authentication. 17. You are working on your company’s network and you are asked to deploy an authentication scheme that can help provide the most security offered with PPP. Based on the diagram in Figure 16.8, which statement best describes CHAP functionality and why is it more secure than PAP? Figure 16.8 Viewing CHAP Used on a PPP Link

CHAP WAN

Router 1 Name–router 1 Password–password 1

Challenge Response

Router 2 Name–router 2 Password–password 2

Accept or Reject

A. Using CHAP, the challenge and response used are based on the Two-Fish algorithm, thereby adding a layer of security to your authentication scheme. B. Using CHAP, you will find that no challenge and response are used; rather, a system of key numbers connected in sequence when the receiving router receives them provides a layer of ­security.

Self Test

C. You should use PAP for added security; CHAP is secure only if AES encryption and a digital certificate are added. D. Using CHAP, the challenge and response used are based on the MD5 algorithm, thereby adding a layer of security to your authentication scheme. 18. You are working on your company’s network. When asked to deploy an authentication scheme that can help secure a PPP-based link, you decide to use PAP. Based on the diagram in Figure 16.9, what should you be concerned with when deploying PAP over an unsecured PPP link? Figure 16.9 Viewing PAP Used on a PPP Link

PAP WAN

Router 1 Name–router 1 Password–password 1

Credentials sent in cleartext

Router 2 Name–router 2 Password–password 2

Accept or Reject

A. The passwords for both Router 1 and Router 2 are easily guessed. B. Credentials are broadcast to all routers configured on the WAN, instead of to a single peer. C. Passwords are sent in clear text and can easily be captured by malicious users. D. Routers 1 and 2 cannot communicate over the WAN link without the use of Frame Relay. 19. You are a consulting engineer working on a WAN issue for a client. The client’s systems are antiquated and use SLIP. You have a requirement to upgrade to PPP to support multiprotocol transmissions. What other reasons would you use PPP over SLIP? (Choose all that apply.) A. You want to use PPP instead of SLIP as PPP can operate at the transport layer. B. You want to use PPP instead of SLIP as SLIP does not function with TCP/IP.

661

662 CHAPTER 16: Configuring PPP and CHAP

C. You want to use PPP instead of SLIP as PPP is more stable. D. You want to use PPP instead of SLIP as PPP has error-checking features included. 20. You are a Cisco engineer and you need to configure PPP on a set of routers. PPP can be configured to work at which OSI model layer for Internet access? A. Data link B. Network C. Physical D. Application

Self Test Quick Answer Key   1. A, and B   2. C, and D   3. D   4. C   5. A   6. A   7. B   8. B   9. A 10. A, B, D, and E

11. A, C, and D 12. B 13. D 14. A 15. B 16. B 17. D 18. C 19. C and D 20. A