Configuring PPP with Authentication Using SDM

First, I’m going to configure the serial WAN link between the Corp router and the R3 router using PPP with Authentication. The first thing I need to do is delete the interface from Interfaces and Connections Tasks, then click on the Edit Interface Connection tab, and then click Delete. If I don’t do this, the interface won’t show up as available to configure through SDM. I could easily do it from the CLI instead, but that’s not where we’re going here.

Okay—once I deleted the interface configuration, I clicked Create New Connection on the Create Connection tab.

Once I clicked Create New Connection, I received the first screen of the Serial WAN Configuration
Wizard.

Then, I just clicked Next, and the screen I got showed that HDLC is ready to rock. I would just have to click Next again to make it happen.

But instead, I clicked Point-to-Point Protocol, and then clicked Next, which brought me to the IP Address screen.

I added the static IP address I wanted to add, and then I clicked Next and got the Authentication screen.

You don’t have to enter any authentication information here, but I went ahead and entered the information anyway. The Username field is for the name of the remote router (R3), or whatever information your ISP provided you with—same with the password. (Think back to the PPP configuration I showed you with the CLI earlier.) I then clicked Next. A screen appeared showing a summary of the configuration. I just clicked Finish.

From the Interfaces and Connections task, on the Edit Interface/Connection tab, we can now see that my Serial0/2/0 is configured on the Corp router with PPP and CHAP authentication.

So now I’m going to go to the R3 router and implement the same configuration I just demonstrated
on the Corp router. I’ll use Corp as the username and assign the same password (just as I showed you in the PPP CLI configuration earlier).

Here’s the CLI output from the Corp router after both routers have been configured:

!
interface Serial0/2/0
description Connection to R3$FW_OUTSIDE$
ip address 10.1.5.1 255.255.255.0
ip verify unicast reverse-path
ip virtual-reassembly
encapsulation ppp
clock rate 2000000
ppp authentication chap callin
ppp chap hostname R3
ppp chap password 0 cisco
!

You’d think I’d be done, right? After all, the links are configured and we’re up and running. But we’re not. We would be if we were connected to an ISP and don’t actually have a pointto- point connection like a T1 (which is what I am simulating). So in reality, the ISP would then provide the authentication commands. The thing is, we have a dedicated point-to-point serial connection, and the SDM PPP with authentication doesn’t work without some help from the CLI. Go figure. (I told you it was easier with the CLI!)

Here’s how I know things aren’t working even though both routers were very easily configured:

Corp#sh int s0/2/0
Serial0/2/0 is up, line protocol is down
Hardware is GT96K Serial
Description: Connection to R3$FW_OUTSIDE$
Internet address is 10.1.5.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Listen
[output cut]

The first item listed (as you hopefully know) is carrier detect at the Physical layer, but the “line protocol is down” at the Data Link layer. This means we’re not getting keepalives from the R3 router. But why? I’m pretty sure I configured it correctly and it definitely wasn’t all that difficult! Let’s take a look at the authentication in action and see what we can find out:

Corp#debug ppp auth
*May 15 18:46:12.039: Se0/2/0 PPP: Authorization required
*May 15 18:46:12.039: Se0/2/0 CHAP: O CHALLENGE id 33 len 23 from "R3"
*May 15 18:46:12.039: Se0/2/0 CHAP: I CHALLENGE id 33 len 25 from "Corp"
*May 15 18:46:12.043: Se0/2/0 CHAP: I RESPONSE id 33 len 25 from "Corp"
*May 15 18:46:12.043: Se0/2/0 CHAP: Using hostname from interface CHAP
*May 15 18:46:12.043: Se0/2/0 CHAP: Using password from interface CHAP
*May 15 18:46:12.043: Se0/2/0 CHAP: O RESPONSE id 33 len 23 from "R3"
*May 15 18:46:12.043: Se0/2/0 PPP: Sent CHAP LOGIN Request
*May 15 18:46:12.043: Se0/2/0 PPP: Received LOGIN Response FAIL
*May 15 18:46:12.043: Se0/2/0 CHAP: O FAILURE id 33 len 25 msg is
"Authentication failed"
Corp#un all

Actually, the authentication commands look like they are trying to work, but things fail at the end. This is where the CLI comes in if you are not connecting to a service provider that is configuring your authentication. I now need to go to each router and add the username command. This is pretty simple, but I am surprised that the SDM didn’t at least prompt me for this. Okay, here it is:

Corp(config)#username R3 password cisco

And now for the R3 router:

R3(config)#username Corp password cisco

Now, finally, we should be up and running. Let’s check it out:

Corp#debug ppp auth
PPP authentication debugging is on
*May 15 16:53:34.479: Se0/2/0 PPP: Authorization required
*May 15 16:53:34.479: Se0/2/0 CHAP: O CHALLENGE id 1 len 25 from "Corp"
*May 15 16:53:34.483: Se0/2/0 CHAP: I RESPONSE id 1 len 23 from "R3"
*May 15 16:53:34.483: Se0/2/0 PPP: Sent CHAP LOGIN Request
*May 15 16:53:34.483: Se0/2/0 PPP: Received LOGIN Response PASS
*May 15 16:53:34.487: Se0/2/0 PPP: Sent LCP AUTHOR Request
*May 15 16:53:34.487: Se0/2/0 PPP: Sent IPCP AUTHOR Request
*May 15 16:53:34.487: Se0/2/0 LCP: Received AAA AUTHOR Response PASS
*May 15 16:53:34.487: Se0/2/0 IPCP: Received AAA AUTHOR Response PASS
*May 15 16:53:34.487: Se0/2/0 CHAP: O SUCCESS id 1 len 4
*May 15 16:53:34.487: Se0/2/0 PPP: Sent CDPCP AUTHOR Request
*May 15 16:53:34.491: Se0/2/0 PPP: Sent IPCP AUTHOR Request
*May 15 16:53:34.491: Se0/2/0 CDPCP: Received AAA AUTHOR Response PASS

Understand that the SDM assumes that you are connecting to an ISP, and that the ISP will provide you with the authentication username and password. Ridiculous, yes, but absolutely true nonetheless!