Certified Router Support Professional PAP and CHAP Authentication Failure

PAP and CHAP Authentication Failure
 


A failure in the PAP/CHAP authentication process results in both routers falling to an “up and down” state.  To discover whether a PAP/CHAP failure is really the root cause, you can use the debug ppp authentication command.

CHAP uses a three-message exchange, with a set of messages flowing for authentication in each direction by default.

When CHAP authentication fails, the debug output shows a couple of fairly obvious messages.

Troubleshooting Layer 3 Problems

The serial link can be in an “up/up” state but the ping can still fail because of Layer 3 misconfiguration.  In some cases, the ping may work, but the routing protocols may not be able to exchange routes.

If the interfaces are in different subnets, it will show an up/up state but still not be functioning.  This is for HDLC.

For PPP links, with an IP address/mask misconfiguration, both routers’ interfaces also are in an up/up state, but the ping to the other routers’ IP address actually works.  This is because a router using PPP advertises its serial interface IP address to the other router, with a /32 prefix, which is a route to reach just that one host.  So both routers have a route with which to route packets to the other end of the link, even though two routers on opposite ends of a serial link have mismatched their IP addresses.

A route with a /32 prefix, representing a single host, is called a host route.

Although the ping to the other end of the link works, the routing protocols still do not advertise routes because of the IP subnet mismatch on the opposite ends of the link.  So, when troubleshooting a network problem, do not assume that a serial interface in an up/up state is fully working, or even that a serial interface over which a ping works is fully working.  Also make sure the routing protocol is exchanging routes and that the IP addresses are in the same subnet.

 For Support