[c-nsp] PPP CHAP spoofed challenges

Peter Hicks peter.hicks at poggs.co.uk
Mon Jan 25 17:40:21 EST 2010 

All,

We have a DSL circuit here terminated on an 1801 with IOS 15.1(XB).
It's having trouble authenticating through to our ISP's LNS:

Jan 25 22:14:42.653: Vi2 PPP: Phase is AUTHENTICATING, by both
Jan 25 22:14:42.653: Vi2 CHAP: O CHALLENGE id 1 len 36 from
"test-phph38 at a.1"
Jan 25 22:14:42.653: Vi2 LCP: State is Open
Jan 25 22:14:42.681: Vi2 CHAP: I CHALLENGE id 1 len 29 from "sov.lac0"
Jan 25 22:14:42.681: Vi2 PPP: Sent CHAP SENDAUTH Request
Jan 25 22:14:42.681: Vi2 PPP: Received SENDAUTH Response FAIL
Jan 25 22:14:42.681: Vi2 CHAP: Using hostname from interface CHAP
Jan 25 22:14:42.681: Vi2 CHAP: Using password from interface CHAP
Jan 25 22:14:42.681: Vi2 CHAP: O RESPONSE id 1 len 36 from "test-phph38 at a.1"
Jan 25 22:14:44.021: Vi2 LCP: I CONFREQ [Open] id 0 len 15
Jan 25 22:14:44.021: Vi2 LCP:    MagicNumber 0x71F64BD1 (0x050671F64BD1)
Jan 25 22:14:44.021: Vi2 LCP:    AuthProto CHAP (0x0305C22305)
Jan 25 22:14:44.025: Vi2 PPP DISC: PPP Renegotiating
Jan 25 22:14:44.025: Vi2 LCP: Event[LCP Reneg] State[Open to Open]
Jan 25 22:14:44.025: Vi2 LCP: Event[DOWN] State[Open to Starting]
...
Jan 25 22:14:44.061: Vi2 PPP: Phase is AUTHENTICATING, by both
Jan 25 22:14:44.061: Vi2 CHAP: O CHALLENGE id 1 len 36 from
"test-phph38 at a.1"
Jan 25 22:14:44.061: Vi2 CHAP: Redirect packet to Vi2
Jan 25 22:14:44.061: Vi2 CHAP: I CHALLENGE id 1 len 30 from "doubtless"
Jan 25 22:14:44.061: Vi2 CHAP: Ignoring spoofed Challenge
Jan 25 22:14:44.061: Vi2 LCP: State is Open
Jan 25 22:14:46.021: Vi2 CHAP: I CHALLENGE id 1 len 30 from "doubtless"
Jan 25 22:14:46.021: Vi2 CHAP: Ignoring spoofed Challenge
Jan 25 22:14:48.021: Vi2 CHAP: I CHALLENGE id 1 len 30 from "doubtless"
Jan 25 22:14:48.021: Vi2 CHAP: Ignoring spoofed Challenge
Jan 25 22:14:50.021: Vi2 CHAP: I CHALLENGE id 1 len 30 from "doubtless"
Jan 25 22:14:50.021: Vi2 CHAP: Ignoring spoofed Challenge
Jan 25 22:14:52.021: Vi2 CHAP: I CHALLENGE id 1 len 30 from "doubtless"
Jan 25 22:14:52.021: Vi2 CHAP: Ignoring spoofed Challenge

Here, sov.lac0 is the DSL provider's LAC, and 'doubtless' is the ISP's
LNS - which restarts LCP when it receives a new L2TP session from the LAC.

The 1801 here is unhappy at receiving a CHAP challenge from a different
hostname, and thus refuses to authenticate.

The Dialer interface has 'ppp authentication chap callin' set, and I've
tried 'ppp direction dedicated', but it doesn't help.

Can any shed some light on this and/or suggest a workaround either on
our end or the ISP's end?

Regards,


Peter

More information about the cisco-nsp mailing list