From a carrier side, I have seen that there are quite a few CPEs in
What's the point of configuring the CPE with the wrong CHAP username and password? At best, that will only perpetuate mis-configurations.
In this case, the issue is that CHAP is *not* offered, yet the carrier is proceeding to start a CHAP authentication session. If the CPE does not offer it in the IPCP exchange, then the carrier should not be trying to use it.
-----Original Message-----
From: Anton Smith [mailto:anton(a)huge.geek.nz]
Sent: Thursday, 29 April 2010 10:42 p.m.
To: Philip D'Ath
Cc: nznog(a)list.waikato.ac.nz
Subject: Re: [nznog] Xtra BBA Issue with Cisco 877
But it is possible to configure chap without a chap password... right?
the jungle misconfigured in this way.
The issue is that some terminators see chap offered and then assume
(probably quite rightly) that they can proceed with chap. Once they
get to the stage where the far end does not offer a valid challenge
they might drop the session.
Other terminators (like cisco) will probably quite happily continue on
to try PAP instead.
On 27 April 2010 21:48, Philip D'Ath
If you don't have CHAP configured, it does not offer CHAP in the negotiation. I have confirmed this myself.
What happens is the Telecom terminator (mostly seems to happen in the South Island) commences CHAP authentication. This is wrong. It should not do this if it is not offered in the IPCP exchange.
So you can either configure CHAP as an additional authentication method, or tell the router to refuse it.
-----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Anton Smith Sent: Wednesday, 28 April 2010 12:49 a.m. To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Xtra BBA Issue with Cisco 877
Hi, I've come across this myself recently:
I think that you might also find that the issue is that the cisco doesn't have a chap password configured, yet during negotiation it originally states that it can do chap. After which everything falls apart (quite strange behaviour actually - if the chap password is not configured it shouldn't state it can do chap for that connection).
Regards, Anton