Cisco CCNA ICND2 640-816

WAN Connections: Implementing PPP Authentication

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.
Video Title Duration
1. Review: Rebuilding the Small Office Network, Part 1
2. Review: Rebuilding the Small Office Network, Part 2
3. Review: Rebuilding the Small Office Network, Part 3
4. Switch VLANs: Understanding VLANs
5. Switch VLANs: Understanding Trunks and VTP
6. Switch VLANs: Configuring VLANs and VTP, Part 1
7. Switch VLANs: Configuring VLANs and VTP, Part 2
8. Switch STP: Understanding the Spanning-Tree Protocol
9. Switch STP: Configuring Basic STP
10. Switch STP: Enhancements to STP
11. General Switching: Troubleshooting and Security Best Practices
12. Subnetting: Understanding VLSM
13. Routing Protocols: Distance Vector vs. Link State
14. Routing Protocols: OSPF Concepts
15. Routing Protocols: OSPF Configuration and Troubleshooting
16. Routing Protocols: EIGRP Concepts and Configuration
17. Access-Lists: The Rules of the ACL
18. Access-Lists: Configuring ACLs
19. Access-Lists: Configuring ACLs, Part 2
20. NAT: Understanding the Three Styles of NAT
21. NAT: Command-line NAT Configuration
22. WAN Connections: Concepts of VPN Technology
23. WAN Connections: Implementing PPP Authentication
24. WAN Connections: Understanding Frame Relay
25. WAN Connections: Configuring Frame Relay
26. IPv6: Understanding Basic Concepts and Addressing
27. IPv6: Configuring, Routing, and Interoperating
28. Certification: Some Last Words for Test Takers
29. Advanced TCP/IP: Working with Binary
30. Advanced TCP/IP: IP Subnetting, Part 1
31. Advanced TCP/IP: IP Subnetting, Part 2
32. Advanced TCP/IP: IP Subnetting, Part 3

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

00:00:00 - Now that we've talked about VPN connections, we can move
00:00:04 - into the second category of WAN links, and that is leased
00:00:07 - lines. Now leased lines was something that we talked about in
00:00:11 - the ICND 1 series. It was actually the only WAN link that
00:00:15 - we talked about in ICND 1 because ICND 1 was geared
00:00:19 - around the small business world, where WAN links are a rare occasion.
00:00:23 - Most small businesses have a single site and just a basic internet
00:00:27 - connection. So what I'd like to do as we get into ICND 2
00:00:30 - is do a little bit of review. I know it may have been a while since you
00:00:33 - saw the leased lines in ICND 1, and it is at the end
00:00:36 - of the series in ICND 1 so I realize that there may
00:00:39 - also have been a lot of information going through your head by that
00:00:42 - point. So we'll do a brief review of what leased lines and point-to-point
00:00:46 - connections are all about, both at the layer one and layer
00:00:49 - two. Then we'll get into the configuration. The beauty of leased
00:00:53 - lines is that they are very easy to configure. Actually, if you've
00:00:57 - got two CISCO routers on both sides, there's virtually nothing
00:01:00 - to it. But we're going to go a little beyond that, talk about
00:01:03 - configuring them for PPP, which is the point-to-point protocol, and
00:01:06 - then we'll add on top of that PPP authentication.
00:01:11 - I'd first like to review some of the physical links that are
00:01:14 - in our WAN technology. What I have here is almost like a mini
00:01:18 - flow chart of how WAN connections look and how they
00:01:22 - physically connect in your environment. Up at the top here is, I guess, the
00:01:25 - starting point, which is a CISCO -- this is a 2600
00:01:28 - series router. Now on the back of that you can see that that
00:01:31 - yellow link right there, that is our Ethernet port, and that connects to the
00:01:35 - LAN. Right here is the WAN port, or I guess you could say
00:01:40 - a WIC slot; that stands for WAN interface card. Now you actually
00:01:45 - can put one of three different cards inside of that slot,
00:01:48 - and there's even more than what I'm showing here but these
00:01:50 - are the most common. Right here are the traditional serial port
00:01:54 - connections. The one on the left is known as a WIC 1T,
00:01:57 - which is the old serial style connector. It's still all
00:02:01 - over the place, though. It's
00:02:02 - of those. The one right here, this is known as the WIC 2T.
00:02:06 - They re-engineered their serial interface connection on
00:02:09 - CISCO routers to where they can get two WAN interfaces per
00:02:13 - slot. Pretty powerful. Now let's first talk about these two
00:02:16 - interfaces. If you purchase one of these cards and you've
00:02:20 - purchased a leased line -- let me just get a brief drawing over here. Let's say that
00:02:23 - you have a router and that is supposed to connect to another
00:02:27 - router in Texas, and we'll say this router's in Arizona,
00:02:31 - I am. Now that router connects to the LAN over here. Now this
00:02:35 - router we would plug in right here. This is the physical view
00:02:38 - of my logical diagram down here. We would plug in one of these WAN
00:02:41 - ports, and that WAN port would then require a specialized
00:02:45 - cable. This is known as a DB-60 connector, which would
00:02:50 - connect to that WAN interface over there on the left. Now that
00:02:53 - will then have that
00:02:56 - cable that runs to a -- well, it looks very odd. You see the
00:03:02 - interface connection type right over there. That's actually
00:03:05 - known as a V.35 connector. That will connect
00:03:09 - from your CISCO router, that's the CISCO end of the connection,
00:03:12 - to this device which is known as a CSU/DSU.
00:03:17 - These have been around for decades and those are the devices that
00:03:20 - manage the WAN connections. They set the pace, the clock rate;
00:03:24 - they
00:03:26 - do error checking on the WAN line. They're pretty expensive
00:03:29 - but they really just convert from the V.35
00:03:34 - or there's actually five different types of CSU/DSU
00:03:37 - physical connections. This is just one of them. It converts from
00:03:40 - that kind of connector to a -- it looks like just a standard Ethernet
00:03:44 - jack that the service provider installs. So if you're looking
00:03:47 - for a little simpler flow, you have the wall of your building
00:03:51 - right here. Outside is the grass and the trees that are growing,
00:03:56 - you know, outside. The service writer comes in trenches under
00:03:59 - the land, and marks this wall as the demark.
00:04:03 - demarcation point. That's where their responsibility passes.
00:04:07 - They install a wall jack and they say, if anything on the right
00:04:10 - side of that wall jack breaks, we'll pay for it. And if anything
00:04:12 - on the left breaks, you'll pay for it. You run that cable, you can
00:04:15 - see from that wall jack, little yellow cable to the CSU/DSU.
00:04:19 - CSU/DSU gets one of these specialized serial interfaces
00:04:23 - or serial cables. You buy those from CISCO for a hundred
00:04:26 - bucks or eBay for 10 bucks, and that will allow you to connect from the
00:04:30 - CSU/DSU to the serial interface and you buy the correct
00:04:33 - cable depending on what kind of WIC card you have, and that
00:04:36 - is what brings up your serial link.
00:04:39 - Now you see up here other physical option, which is to take
00:04:42 - a built-in CSU/DSU. Technology has advanced.
00:04:47 - Like I said, these have been around for decades. They've figured out
00:04:51 - how to put all the functions of a CSU/DSU on
00:04:53 - this little card. So if you, if we were to be able to zoom into
00:04:57 - that blue writing it actually says, T1 CSU/DSU
00:05:01 - right on there.
00:05:03 - That means it has a built-in one. That allows you to run the cable
00:05:06 - from the wall jack straight into this interface on your router.
00:05:10 - Pretty fancy. So those are the physical connections of what
00:05:14 - serial leased lines look like.
00:05:17 - In addition to defining a new physical layer connectivity, the
00:05:22 - WAN connections and WAN links define a new data link connectivity
00:05:26 - as well. It blows people's mind when they first find out in
00:05:30 - the WAN in the world, the Wide Area Network world, there are no MAC
00:05:33 - addresses. What? How does that work? You
00:05:39 - know, is the traditional response, because we're so used to working
00:05:43 - with Ethernet where in Ethernet we have MAC addresses. But MAC addresses are
00:05:48 - only Ethernet technology. In the WAN world, we have all
00:05:53 - kinds of different Layer 2 addresses, depending on the WAN link
00:05:56 - you're using. For instance, if you have frame relay which we'll
00:05:59 - talk about a little bit later. DLCIs are the Layer 2. DLCI
00:06:03 - is essentially -- it fills the role of the MAC address. and
00:06:06 - ATM, you have something known as a -- actually it's a VPI/VCI
00:06:11 - pair and that replaces the MAC address. In every can of
00:06:16 - WAN technology there's some other kind of Layer 2 addresses
00:06:19 - and Layer 2 system that it uses to communicate with the other
00:06:23 - side. Now ATM we're not going to talk about at the
00:06:27 - CCNA level, that's actually a more specialized thing and it's
00:06:31 - part of the CCNP track. Frame relay we will, but in here we're going
00:06:34 - to talk about the two
00:06:37 - leased line data link protocols, and that is PPP and HDLC.
00:06:43 - PPP and HDLC are the two languages that you can speak
00:06:47 - when you speak to another router over a WAN link.
00:06:51 - Now remember, we're just doing a technology shift here. So far and everything
00:06:56 - that we've talked about in this series and the previous series,
00:06:58 - all of the language that we spoke with Ethernet, and that's
00:07:01 - what allows me to plug a PC into a switch and it can talk to
00:07:05 - a server or some other device plugged into the same switch.
00:07:08 - That's all using the language of Ethernet, a LAN language. Now
00:07:12 - that we've moved into the WAN, as we look at our leased
00:07:15 - lines we have two different types of WAN languages that we
00:07:18 - can use between routers that are connected on a WAN link.
00:07:24 - HDLC is the default on all CISCO routers. Meaning when you put
00:07:29 - that serial card into the router and turn it on, by default
00:07:32 - it's going to be talking HDLC. The beauty of HDLC is that
00:07:37 - it has extremely low overhead, which means it's pretty fast.
00:07:41 - It's not going to congest the link with all kinds of stuff
00:07:45 - it's adding in the header. It just says, okay, I will work. And the beauty
00:07:49 - of HDLC is in its simplicity. If you have a CISCO router
00:07:53 - on one side and a CISCO router on the other side, and you plug
00:07:56 - in that WAN cable that connects to the service provider -- remember
00:07:59 - this is logical. We have our wall than in the middle of this
00:08:02 - is the service writer and hundreds and thousands of miles between
00:08:05 - these two and then another wall and a wall jack and all of
00:08:08 - that. When you plug your cables together, it just works. As long
00:08:13 - as the service provider has done their side and everything's working
00:08:16 - in the middle, there's no configuration necessary. You just put
00:08:19 - an IP address on each serial interface that is in the same
00:08:23 - subnet and you're good to go.
00:08:25 - The disadvantage of HDLC is this and that. It is CISCO
00:08:32 - proprietary, which means it only works if you have two CISCO
00:08:35 - routers and it has no features at all.
00:08:39 - Meaning if you're looking for it to do some kind of spizazzy
00:08:42 - as the thing, which we'll look at PPP in just a moment, on your
00:08:45 - WAN link it can't do it. That's why we have PPP. This is our
00:08:51 - second choice. If we want to convert over and run PPP, it's just
00:08:56 - one command -- and we'll see that in the next slide -- one command
00:08:59 - that you type in and your writers are now running the point
00:09:02 - to point protocol. The beauty of PPP is that it's industry standard,
00:09:07 - so I can have a CISCO router here connected to --
00:09:11 - we'll just throw out Juniper the company have been very impressed
00:09:15 - with lately. A Juniper router on the other side and they can both
00:09:19 - speak PPP and it will work just fine. You have moderate overhead,
00:09:24 - which means it's not high overhead, it's not really get a ball your
00:09:26 - WAN link down to use PPP. As a matter of fact, if you don't
00:09:30 - turn on any of the features then you're really nearly equivalent
00:09:34 - to HDLC. So it's not too much overhead, but PPP is feature-rific.
00:09:42 - As a matter of fact, there are four major features it supports. Number
00:09:45 - one is what we're going to set up in here -- authentication.
00:09:50 - That means that you can add a username and password to your
00:09:54 - WAN link and the other side must provide that. Now on leased
00:09:57 - lines you can do it, and we're going to set it up in here. It's
00:10:00 - not very common, though, because the only way somebody is getting
00:10:05 - on this leased line is if they walk in the building over here
00:10:08 - you know, kick over the administrator and tie him up in a
00:10:11 - chair on the side and pull the Juniper router off the WAN link and
00:10:15 - put their own router on.
00:10:16 - In that case, you're not so much concerned with them getting
00:10:19 - into your now work as you are the administrator tied up in
00:10:22 - the office over there. So it's not very common that people but
00:10:26 - authentication on WAN links, but PPP can run over just about
00:10:30 - any type of WAN connection, like modems. When somebody dials
00:10:35 - into your network, if it's just connected to a phone line, you
00:10:38 - want to make sure that you prompt them for username and password
00:10:41 - because if not, they're just going to dial a phone number and
00:10:45 - they're in. So that's for authentication comes in very handy
00:10:48 - Second -- compression.
00:10:52 - You can make a trade-off on your router where you trade some
00:10:56 - processor cycles, meaning you're going to cause your processor to get
00:11:01 - use a little bit more on your router, for bandwidth. Because
00:11:04 - what will happen when you turn on compression is as data is
00:11:07 - sent from your LAN through the router and on the WAN, it's
00:11:12 - smushing it down. If you think of a zip file, that's the same concept.
00:11:16 - It's smushing down data as it goes over the WAN, and when reaches
00:11:19 - the other side it unsmushes it so you have the full file
00:11:24 - there again. Now the great idea about compression is that you
00:11:27 - actually use less WAN bandwidth to send the same amount
00:11:32 - of data. You're just smushing it down before you send it. The
00:11:35 - problem with compression is it can eat up quite a few processor
00:11:38 - cycles, so if you're router's already bogged down and you turn that
00:11:41 - on, you've doomed it. It's going to crash or it's going
00:11:44 - to be overwhelmed because compression can eat up quite
00:11:48 - a bit, depending on how busy that WAN link is. Third one
00:11:52 - is called callback.
00:11:54 - This is primarily used on modems, and when you dial into the
00:11:58 - modem and authenticate, meaning type in your username and password,
00:12:02 - the router immediately hangs up on you
00:12:05 - and dials you back at a pre-defined number. That's pretty secure
00:12:10 - in the sense that
00:12:11 - that ensures that somebody can't just steal your username
00:12:15 - and password and dial in from some other location. If you have maybe
00:12:19 - a home that you dial in from, that is the only location or only
00:12:23 - phone number that's allowed to dial in, because the router
00:12:25 - will dial you right back. It's also good because you consolidate
00:12:28 - long distance. Like if I was dialing in and making a long distance
00:12:32 - call to dial up to a network, I could have it hang up and
00:12:36 - the company foots the bill and they'll call from their corporate
00:12:39 - center where they probably get cheaper long distance rates
00:12:41 - than you do at home. Last but not least is the most famous feature
00:12:45 - PPP is known for:
00:12:48 - multilink. Multilink is a system that you can employ that
00:12:55 - allows you to combine the bandwidth of multiple WAN connections
00:12:59 - into one. In recent years, the price of dedicated T1 lines has
00:13:04 - gone down. But T1 doesn't give you too much bandwidth; it's just
00:13:07 - 1.544 Mbps. So you could add
00:13:10 - a second T1 and a third T1. And what multilink allows
00:13:15 - you to do is bundle all of them together and combine the bandwidth
00:13:20 - into one. So it would be 1.5 Mbps
00:13:23 - times three, so you're at about four point five million
00:13:29 - Multilink exactly load balances over all of these. I don't know if
00:13:34 - that was the best way to say that, but it is precise load balancing
00:13:38 - where, to the bit, every single WAN link will get the same amount
00:13:42 - of data sent across it. And that's what's truly combines the bandwidth
00:13:45 - into one.
00:13:48 - Now let's turn our attention to the configuration of PPP. Running
00:13:53 - HDLC right now and my focus is going to be on this
00:13:57 - WAN link between router two router three. I set that up
00:14:01 - just connecting the two using a -- well, it's serial crossover cable
00:14:05 - which is used to simulate a leased line environment. But this
00:14:09 - is exactly how it would work if you were connecting using a service
00:14:12 - provider between these two offices. So let's hop on
00:14:16 - over to router three
00:14:19 - and let me just a clear this off. I was doing a little verification
00:14:23 - beforehand. On router three I'm going to do a show IP interface brief,
00:14:29 - and we can see this is the router than the branch office over
00:14:32 - here with all the loopbacks that we were using for the previous
00:14:35 - videos. Right here is our serial 0/0 interface, and
00:14:39 - I'm going to type in show run interface. We can focus it in on just interface
00:14:44 - serial 0/0. That filters the running config down to just
00:14:47 - that. Underneath interface serial 0/0 I see the IP address that
00:14:51 - we have a summary route that we were using when we set up EIGRP,
00:14:54 - and no fair-queue which is there by default. It is a that's the
00:14:58 - quality of service mechanism. I don't see anything about
00:15:02 - PPP or HDLC. So to really see what it's configured as, need
00:15:08 - in show interface serial 0/0.
00:15:12 - Underneath here
00:15:14 - I can see serial 0/0 is up, line protocol is up, that's good. Right
00:15:18 - here -- encapsulation HDLC. That's the default. As a matter
00:15:27 - of fact, if I go underneath that serial 0/0 interface and type
00:15:27 - in encapsulation HDLC, that's the default command so
00:15:32 - I will not see that in the show run. I don't know if you've gotten used to that
00:15:36 - yet, but when you're looking at the running config, it actually
00:15:39 - will filter out commands that are typically there by default.
00:15:43 - Just like you look under serial 0/0, we had to type
00:15:46 - at some point no shutdown to bring that link up. But you don't
00:15:50 - see the no shutdown command; you only see if it's shut down because
00:15:53 - it's assumed not to be shut down by default. So we've got router
00:15:59 - three running and router two is the identical configuration.
00:16:02 - Let me jump over to there. There we go, router two.
00:16:07 - I'm going to do a show IP interface brief just to make
00:16:13 - sure I see my interface. It is serial 0/1/0.
00:16:17 - I'll do the same command here, show run and serial 0/1/0
00:16:22 - Oh, forgot the interface. Show run interface. There we go, it looks
00:16:27 - very similar, besides a DCE circuit, so it's setting the
00:16:31 - clock rate and a lab environment. And I do a show interface serial
00:16:36 - 0/1/0 and verify once again that is also running
00:16:40 - HDLC. So the initial PPP configuration I'm going to do is very
00:16:44 - simple: turning it on. I'm going to go on router two under interface serial
00:16:49 - 0/1/0, that's our link over to router three, and type in the
00:16:53 - command encapsulation. And you can see have I plenty of options
00:16:56 - but really the only two that work on point-to-point circuits
00:16:59 - is HDLC and PPP.
00:17:03 - As soon as I type that, I've changed the data link language
00:17:07 - for that serial interface. Now look what happens if I do
00:17:11 - a show IP interface brief.
00:17:14 - I see my serial 0/1. It shows it's up, and remember this
00:17:18 - first column, the status, represents physical. It's physically up, there's clocking
00:17:23 - on the line. I've got a cable connected. We're communicating
00:17:26 - physically, but this represents the data link layer. Data link
00:17:30 - layer is currently down because R2 is PPP, R3 is
00:17:35 - HDLC. So I'll jump over there. I got my numbers off here. Jump over to router
00:17:39 - three and fix it. Do the show IP interface brief here, I noticed
00:17:43 - that serial 0/0 is in the same state.
00:17:52 - Encapsulation, PPP. Give it a few moments and we should see
00:17:57 - that interface come back online. There we go. You see the
00:18:01 - line protocol right here has changed to up, and we got our EIGRP
00:18:07 - neighbor back. Go back and do our show IP interface
00:18:10 - and you see we're communicating. Show interface serial 0/0
00:18:13 - is now running PPP. You can see that we're now communicating
00:18:18 - using the industry standard language, and that's all there is
00:18:22 - to it. If you were connecting to a non-CISCO router over a
00:18:25 - WAN link and all you wanted to do was run base PPP, that's the
00:18:29 - only command you would have to type. You can see LCP is open. That's
00:18:34 - the link control protocol. That's what negotiates the PPP features.
00:18:38 - If there was some kind of problem with, for instance, authentication
00:18:42 - compression, multilink where they couldn't negotiate and figure
00:18:46 - out common ground or a wrong password is typed in, it would say
00:18:50 - LCP closed because LCP handles all those features. You can
00:18:55 - see also right here, open IPCP, CDPCP. PPP uses things known as
00:19:01 - control protocols. So when you see IPCP, you're seeing the
00:19:06 - IP control protocol. That is what allows the TCP/IP,
00:19:11 - the IP protocol, to work over a PPP link. CDPCP is the CISCO
00:19:17 - discovery protocol control protocol. That's what allows CDP. Remember
00:19:21 - this? Show CDP neighbors. That allows it to work over a WAN link
00:19:25 - so I can still see my neighbor even though they're using a
00:19:27 - PPP connection.
00:19:29 - Cool. So that's the base configuration of PPP. Now let's add
00:19:34 - authentication. There are two types of PPP authentication that
00:19:39 - have been developed over the years. The old one is known as PAP,
00:19:44 - the password authentication protocol. The new one is known as
00:19:48 - CHAP, the challenge handshake authentication protocol.
00:19:53 - PAP is very rarely used. As a matter of fact, I can with near perfect
00:19:58 - confidence say you will never see PAP used anymore. And
00:20:02 - the reason why is all of the username and password when it's
00:20:06 - sent is sent in clear text. So if someone had some kind of packet
00:20:10 - sniffer between these two routers, they would be able to see
00:20:13 - the username and password come right across, open up the packet
00:20:16 - go, oh, that's what they're using. So PAP is just not used anymore.
00:20:21 - Nowadays people use CHAP, the challenge handshake authentication
00:20:25 - protocol. Now without getting too deep into it, what CHAP does
00:20:29 - is never actually send the password over the wire. It's a little
00:20:34 - weird. It'll send username but not the password. It will
00:20:38 - send a password hash. So here's the idea. The way CHAP works
00:20:42 - is not through encryption, but through hashing. There's
00:20:47 - a big difference between those two and it took me a long time
00:20:49 - myself to come to an understanding of what that meant. Because
00:20:53 - encryption and hashing accomplish the same goal but in very different
00:20:57 - ways. Encryption -- if you were to say encryption, you would be
00:21:01 - talking about something that takes the data, let's say this
00:21:03 - is the data, ENC, and runs it through a mathematical formula so
00:21:08 - it's all scrambled when it comes out. It's just, you know, it looks like a
00:21:12 - swear word. It's just a scrambled mess of that original thing
00:21:18 - that was sent. So if somebody captures that, unless they have the
00:21:22 - decryption formula they can't figure it out. So a decryption
00:21:27 - formula would come in and say, okay, well let's
00:21:31 - put this back into that mathematical formula and spit out ENC
00:21:34 - that was originally what is sent. Hashing.
00:21:39 - Hashing is very different because it uses an irreversible
00:21:45 - formula
00:21:47 - to scramble the data. Here's what I mean. Let's say HASH is
00:21:52 - the data that sense
00:21:54 - It will put that word, HASH, that's the data, through some
00:21:59 - super complex mathematical formula and will end up with
00:22:04 - an answer, you know, 596AB9621.
00:22:11 - The answer is what is sent across the wire. Now in router two, if
00:22:16 - these two are authenticating, if router two, when router two gets that
00:22:20 - answer, when they get the hash, they will not be able to decrypt that
00:22:24 - because remember, this isn't encryption, it's hashing. The only
00:22:29 - way it can know if this is valid or not is if it has the
00:22:33 - same thing typed in on this side and it can run it through
00:22:36 - that irreversible formula and the answer will come out to
00:22:40 - be the same.
00:22:41 - So this brings up a big point.
00:22:44 - CHAP does not use encryption; it uses hashing.
00:22:49 - In order for it to work correctly, we must type in the same
00:22:54 - password on both sides. Because all it will send across is the
00:22:58 - hash of the password. Like I said, the password is never actually
00:23:02 - sent and when I didn't understand what hashing was all about,
00:23:06 - I didn't understand that statement. Well, how do they know if they got the right
00:23:09 - password if you never actually send the password. But they
00:23:12 - don't. They just send the hash of the password, the result of
00:23:16 - some mathematical formula with this hash plugged in there, that
00:23:19 - data, and it gets to the other side. It looks at the answer and
00:23:23 - says, well I can't reverse engineer that I can't quote unquote
00:23:27 - "decrypt" a hash. So let's say, let's say this. Let me give you an example.
00:23:31 - If I wanted to have authentication going between router two
00:23:35 - and router three, I would have to type in the same password
00:23:38 - on both sides. We'll say the password is CISCO.
00:23:43 - Password is CISCO. Once I have that typed in both sides,
00:23:48 - this one, if it needs to authenticate to the other side, will
00:23:51 - run this through a hash. It's technically known as an MD5
00:23:57 - hash. So it will hash that up, come up with some
00:24:02 - gobbledy gook answer, take that answer -- this is my gobbledy gook --
00:24:04 - send it across the wire. Router two gets the answer, has the
00:24:08 - same password typed in, runs that through the same irreversible
00:24:12 - formula, the MD5 hash, and comes out with its answer,
00:24:16 - compares its gobbledy gook to that gobbledy gook and says, oh,
00:24:20 - they're the same. We must be using the same password, thus we
00:24:24 - are authenticated.
00:24:27 - Side note -- this is why when you go onto a router -- let me move my window
00:24:32 - back in here -- and you do a, let me do a show run. No, no, no, no, no, no.
00:24:38 - Let me do this. I'll do enable password CISCO1.
00:24:45 - Service password encryption.
00:24:50 - Now I'm going to do a show run.
00:24:54 - When you're looking right here, think back to ICND1.
00:24:57 - You remember the difference between enable password and
00:25:00 - enable secret? The enable password was the one that stored in
00:25:03 - clear text. At least it was until I type in service password encryption.
00:25:08 - This is an encrypted version of the enable password, an encrypted
00:25:14 - version of CISCO1. Now hold on one second.
00:25:20 - I'm going to go to, Google, and type in
00:25:25 - break CISCO -- you can see I've done this before -- break CISCO password.
00:25:30 - Google search.
00:25:32 - Right here, the CISCO password cracker. It's the first hit. Go ahead and click
00:25:36 - on that bad boy. Look at that. Type seven password. I look over here.
00:25:39 - My enable password is a type seven password. If I take this,
00:25:46 - copy it to my clipboard and paste it into this website, paste it into
00:25:52 - the website, are you following me here?
00:25:54 - Hit crack, oh. What's the moral of the story, I love it. Don't
00:25:59 - use it. Don't use that because this is encryption. Encryption
00:26:04 - can be broken because you can always reverse the formula. You
00:26:08 - can do a decryption formula, which is exactly what that
00:26:11 - website does. Notice enable secret five. A lot of people think
00:26:15 - oh, well five isn't as good as seven because it's a smaller
00:26:17 - number. Five represents MD5 hashing. When you're
00:26:22 - using your enable secret, this is a hash of whatever your
00:26:27 - enable secret is. You cannot reverse engineer that. So if somebody
00:26:31 - gets that hash, the only way that they can break through it
00:26:35 - is through a brute force attack. And what that means is they
00:26:39 - will use a program that will start trying passwords. It'll start
00:26:42 - with maybe the number one, two, three, four, five, and it generates
00:26:45 - what hash the number one would generate, compares it and says,
00:26:48 - is that the same, no, must not be that one. A good program -- not good,
00:26:52 - but a program that you can use to do that is known as Cain
00:26:56 - and Abel. If you go to Google and search for Cain and Abel, that's a
00:26:59 - program that will do a brute force attack of an MD5
00:27:02 - hash, but it can't reverse engineer this. All it can do is keep trying
00:27:05 - different combinations to see if it can come up with the same
00:27:08 - hash as that. If you make your password long enough, you'll
00:27:11 - never be able to do that. So that's the big difference. And I know I've
00:27:14 - talked a little longer on that but I want to know how good
00:27:19 - CHAP really is. CHAP is using that MD5 hash
00:27:24 - which makes it virtually -- you know, I knock on wood when I say
00:27:28 - this -- unbreakable until some other 12-year-old Swedish
00:27:32 - girl comes along to break through this. But that's the
00:27:35 - idea of CHAP. Now that's the concept, let's configure it.
00:27:39 - There are really two steps to configure PPP authentication:
00:27:44 - create a user account and then turn it on. I'm going to reverse those
00:27:48 - steps because I want you to see what happens when authentication
00:27:51 - isn't working correctly. I'm on router three, which is our far
00:27:55 - end router. I'm going to go under that serial 0/0 interface
00:28:02 - and type in the command to turn on authentication. It is PPP authentication
00:28:07 - and then what kind of authentication you would like to use.
00:28:11 - Now our routers between each other use CHAP or PAP, and I mentioned
00:28:15 - PAP is no longer used by anyone. So we can use CHAP.
00:28:20 - Now you notice a few others in here like EAP. I'm not even going to touch that
00:28:23 - one; that moves into some newer technology out there. Some
00:28:27 - people call it 802.1x. It's a newer type of
00:28:31 - authentication, it's pretty fancy. Down here we have MS-CHAP
00:28:34 - and MS-CHAP-V2.
00:28:37 - Microsoft came out with their own versions of CHAP. So if
00:28:40 - you're dialing up to a router using a Microsoft Windows client,
00:28:44 - you'll have to use MS-CHAP or MS-CHAP-V2
00:28:47 - which is a little more secure. But we're authenticating our routers,
00:28:50 - so I'll just type in PPP authentication, CHAP. That is what I would like to use. Now
00:28:55 - as soon as I do that, you notice that my line protocol on my
00:28:58 - serial interface just went down. The link died. If I go back
00:29:02 - and do a show interface serial 0/0,
00:29:07 - you notice it says encapsulation is still PPP, but LCP TERMsent. That
00:29:13 - means the termination signal was sent. I, router three, sent
00:29:18 - a termination signal to the other side because I was told by
00:29:22 - the administrator to require CHAP authentication. The other
00:29:26 - side was prepared to handle that, so you are terminated, you're
00:29:29 - not successfully authenticating to this router. What we need
00:29:34 - to do, and before we should have done that, is create user
00:29:42 - accounts. By default, when I have routers that are going
00:29:42 - to speak to each other, router two will come across and say,
00:29:46 - hello, I am router two.
00:29:49 - as my username. My password is the gobbledy gook,
00:29:55 - the hash that's generated by CHAP. Now router three is going
00:29:59 - to look at its user database and say, okay, do I have a user
00:30:03 - account defined for router two. And if so, what's router two's
00:30:07 - password that's tacked on to that user account. Let's say, I'll put
00:30:11 - CISCO as the password. It will hash up that password and say,
00:30:14 - okay, well based on the user account I have for router two on
00:30:18 - my router, I came up with this gobbledy gook. Does it match the
00:30:21 - gobbledy gook that router two sent me. Do these hashes match. If so, that
00:30:27 - is a successful authentication. So let me show you how to create
00:30:30 - the user account.
00:30:32 - I'm going to go on router three. I'm going to type in username R2, password
00:30:40 - CISCO.
00:30:43 - Notice I'm in global config mode. I typed in username, this is
00:30:47 - the host name of the router that's coming in R2, and its
00:30:50 - password that it should be sending is CISCO. But remember, it won't be
00:30:53 - sending you that password, it will be a hash version of that. So router three
00:30:57 - you must hash that in order to get the other side. Now when we're
00:31:00 - doing PPP authentication on a leased line, it actually does
00:31:05 - something known as two-way hash. Meaning the routers will authenticate
00:31:11 - each other. Router three will have to supply a username and
00:31:15 - hash to router two, and router two will have to supply a username
00:31:18 - and hash to router three. They both check to make sure they have
00:31:21 - the right passwords.
00:31:23 - If so, then they are good to go. Now the way that two-way hash
00:31:27 - works on a CISCO router is both sides must be configured with
00:31:33 - the same password. So when I go over to router three -- or sorry,
00:31:38 - router two. Router three is done. I'm going to hop over to router two,
00:31:44 - go into global config mode. I'm going to do the exact mirrored configuration.
00:31:47 - Username: R3. Password: CISCO. This password must match.
00:31:55 - Oh, look at that. You see it come up? It must match the password that
00:32:01 - router two -- or sorry, router three has for router two. If these are
00:32:05 - different, the authentication will fail. So last thing I'm going to do on
00:32:09 - router two is go under that serial interface and type in PPP authentication
00:32:15 - CHAP. We now have successful authentication going between each
00:32:19 - other. Let me show you how you can see this happen.
00:32:25 - I'm going to type in debug PPP authentication.
00:32:29 - That will let me watch these two routers authenticate each other.
00:32:32 - Now it's already done, meaning the line is up, they've
00:32:35 - authenticated, so what I'm going to do, so I'm going to cause a catastrophic
00:32:39 - network failure and shut down serial 0/1/0.
00:32:43 - That will force the interface to go down, go into
00:32:46 - administratively down straight, and when I do a no shutdown,
00:32:50 - the PPP will have to authenticate between these two again
00:32:52 - and we can watch it happen. So I'll do a no shut, exit
00:32:56 - back out here. There we go.
00:32:59 - See what happened here? It says, PPP using default call direction.
00:33:03 - This is a dedicated line. Oh, I have noticed authorization is
00:33:07 - required, so I will send a challenge. It says, there is a challenge
00:33:11 - from router two. This is being sent from router two to router
00:33:15 - three. At the same time it received the challenge from
00:33:19 - router three. So they're challenging each other. Do you see the
00:33:23 - two-way hash happening here, or the two-way authentication. They
00:33:26 - both challenged each other. They said using the host name from
00:33:30 - an unknown source, using the password from AAA, that's the local
00:33:33 - user database. So we have challenge, we responded to the challenge,
00:33:37 - router two responds to router three and router three responds to router
00:33:41 - two. Receives the login, the host name, and the password hash,
00:33:46 - sends the user requests and we won't get into what that
00:33:50 - is. But down here you can see success. We have success. The challenge
00:33:55 - is working between these two and they have successfully authenticated.
00:33:59 - If one of those passwords is mismatched, you'll see a failure
00:34:03 - and the link will never come online.
00:34:06 - That is the theory and practical configuration of PPP authentication.
00:34:12 - So let's wrap up. We saw first off a review of the point-to-point
00:34:16 - protocols, looking at the physical layers with serial interfaces
00:34:21 - and the data link layer of HDLC and PPP. We then got into the
00:34:26 - configuration of WAN links, looking at the initial HDLC,
00:34:29 - converting to PPP, and then adding PPP authentication
00:34:33 - on top of it using CHAP. I hope this had been informative for
00:34:37 - you and I'd like to thank you for viewing.

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

This forum is for community use – trainers will not participate in conversations. Share your thoughts on training content and engage with other members of the CBT Nuggets community. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2014 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS