1. PAP/CHAP authentication
2. BRICK configuration hints
3. Some tested configuration examples
3.1 BinTec - BinTec
3.2 BinTec - SunLink
3.3 BinTec - Cisco
A.1 ISI/IP Default configuration in the services file
A.2 PPP - Tracing - Example trace (test with a CISCO)
1. PAP/CHAP authentication
------------------------------------------------------------------------------
If you want to use PAP or CHAP authentification you have to make
a complete
entry in the IP file, i.e. you have to configure BOTH, PAPIN and
PAPOUT
(CHAPIN and CHAPOUT) with hostname and password.
"PAPIN rname:password PAPOUT lname:password "
Local PPP ID -> lname - local hostname (username)
Partner PPP ID -> rname - remote hostname (username)
PPP password -> password - most PPP implementations use only
one
PPP password for both directions (e.g. BRICK, CISCO, ..)
With ISI/IP releases < 4.3 the above notation might produce an
error message
in the ISIPD logfile (/usr/isi/log/isipd). In this case you have
to use the old
notation:
The Partner PPP ID is the configured hostname for the called
address, e.g.
(here: gate16):
INET 80.0.0.5 ISDN gate16,ppp PPP PAPIN auth1 PAPOUT auth2
The Local PPP ID is the configured hostname for the own host
-> /etc/default/isi,e.g.: BASE_myhost=munich
This notation have some problems with incoming calls, when the
CLI (Calling line
identification) is restricted. In this case you can either use
the keyword
INSECURE (-> no CLI checking is made) or you have to make an
entry for the
corresponding hostname, including <= (matching any incoming
call with any CLI
to this hostname, respectively to the corresponding IP entry).
The first case will not work, because the authentification will
not find the
right hostname.
Therefore the right IP entry must be found which is not possible.
The second case is a little bit dangerous, because the hosts
table is searched
sequentially -> if the entry with <= would be the first,
every incoming call
would be mapped to this symbolic hostname.
RFC 1661 :
----------
It is possible, that a partner (or BinTec with "PAPIN...
PAPOUT... CHAPIN ...
CHAPOUT...") is able to use both PAP and CHAP. In this case
CHAP is the first
to be offered.
INSECURE
--------
When you do not get the CLI (calling Line Identification) from
the remote side,
you should use the INSECURE mechanism.
If you specify INSECURE, the CLI will not be checked. The call
will only be
accepted, if the authentification (PAP/CHAP) is successful.
When using INSECURE you must configure PAPIN/CHAPIN AND
PAPOUT/CHAPOUT.
2. BRICK configuration hints
------------------------------------------------------------------------------
Configure the BRICK:
--------------------
ppp authentication -> biboPPPAuthentication (biboPPPTable)
possible values (PROM 2.3/3.2)
none(1),pap(2),chap(3),both(4)
Local PPP ID -> sysName (-> only one system PPP ID is
possible with
the BRICK!)
Partner PPP ID -> biboPPPAuthIdent (biboPPPTable)
PPP password -> biboPPPAuthSecret (biboPPPTable)
(only one password for both directions is possible with the
BRICK!)
Phone number matching with the BRICK:
-------------------------------------
- If you define a number for a PPP interface for both directions
(biboDialDirection=both), the BRICK accepts an incoming call for
this
interface, only if the number matches exactly to the CLI of the
incoming
call (in most cases, the incoming number is different from the
outgoing
-> you can check this with the isdnCallHistoryTable, often the
incoming
number has one zero less than the outgoing).
- If you only want to make inband authentication (i.e. the CLI of
the partner
is not checked -> INSECURE with PAP or CHAP inband
authentication), you must
only have outgoing numbers for that PPP interface
(biboDialDirection=outgoing).
3. Some tested configuration examples:
------------------------------------------------------------------------------
3.1 BinTec - BinTec
3.2 BinTec - SunLink
3.3 BinTec - Cisco
3.1 BinTec - BinTec
-------------------
GATE16 (CLI: + 49 911 967321, IP-address: 80.0.0.5):
---------------------------------------------------
part of /etc/default/isi:
BASE_myhost=gate16
...
IP_servicelist=tcp/ip:ppp:ppp-m:ppp-a
/usr/isi/config/hosts:
munich 49.911.967327.
gate16 49.911.967321.
/usr/isi/config/ipif:
NET is1 TYPE isdn ADDR 80.0.0.5
with releases < 4.3 you could use the following notation:
---------------------------------------------------------
/usr/isi/config/ip (1):
INET 80.0.0.9 ISDN munich,ppp PPP PAPIN auth1
/usr/isi/config/ip (2):
INET 80.0.0.9 ISDN munich,ppp PPP PAPIN auth2 PAPOUT auth1
with releases >= 4.3 you have to use the following notation:
------------------------------------------------------------
/usr/isi/config/ip (1):
INET 80.0.0.9 ISDN munich,ppp PPP PAPIN munich:auth2 PAPOUT
gate16:auth1
ANNOTATION:
In this case the BASE_myhost could be a name different from
gate16.
MUNICH (CLI: + 49 911 967327, IP-address: 80.0.0.9):
---------------------------------------------------
part of /etc/default/isi:
BASE_myhost=munich
...
IP_servicelist=tcp/ip:ppp:ppp-m:ppp-a
/usr/isi/config/hosts:
munich 49.911.967327.
gate16 49.911.967321.
/usr/isi/config/ipif:
NET is1 TYPE isdn ADDR 80.0.0.9
with releases < 4.3 you could use the following notation:
---------------------------------------------------------
/usr/isi/config/ip (1):
INET 80.0.0.5 ISDN gate16,ppp PPP PAPIN auth1
/usr/isi/config/ip (2):
INET 80.0.0.5 ISDN gate16,ppp PPP PAPIN auth1 PAPOUT auth2
with releases >= 4.3 you have to use the following notation:
------------------------------------------------------------
/usr/isi/config/ip (1):
INET 80.0.0.9 ISDN gate16,ppp PPP PAPIN gate16:auth2 PAPOUT
munich:auth1
3.2 BinTec (GATE16) - SunLink (MUNICH)
--------------------------------------
GATE16:
-------
part of /etc/default/isi:
BASE_myhost=gate16
...
IP_servicelist=tcp/ip:ppp:ppp-m:ppp-a
/usr/isi/config/ipif:
NET is1 TYPE isdn ADDR 80.0.0.5
with releases < 4.3 you could use the following notation:
---------------------------------------------------------
/usr/isi/config/ip:
INET 80.0.0.9 ISDN munich,ppp PPP PAPIN auth2 PAPOUT auth1
with releases >= 4.3 you have to use the following notation:
------------------------------------------------------------
/usr/isi/config/ip:
INET 80.0.0.9 ISDN munich,ppp PPP PAPIN munich:auth2 PAPOUT
gate16:auth1
SunLinK:
--------
In the PATH-section of the config files you have to have the
following:
-----------------------------------------------------------------------
isdn_path
name gate16
interface ipd2
called_number 09119673262 1 isdn_0 A data64
peer_ip_address 129.122.218.253
# require_authentication off
# use_caller_id on
require_authentication pap
will_do_authentication pap
pap_id auth2
pap_password munich
pap_peer_id gate16
pap_peer_password auth1
Partner PPP ID -> pap_peer_id (remote_ppp_id) gate16
PPP password (remote) -> pap_peer_password (remote_ppp_passwd)
auth1
Local PPP ID -> pap_id (local_ppp_id) munich
PPP password (local) -> pap_password (local_ppp_passwd) auth2
To configure connections to partners, who only knows one PPP
password,
remote_ppp_passwd = local_ppp_passwd
3.3 BinTec (GATE16) - Cisco (MUNICH), using CHAP
------------------------------------------------
Surrounding: CISCO 2503 with BRI Interface.
(Cisco software version should be >= 10.0)
BinTec version > 4.2
GATE16 (CLI: + 49 911 967321, IP-address: 80.0.0.5):
---------------------------------------------------
part of /etc/default/isi:
BASE_myhost=gate16
...
IP_servicelist=tcp/ip:ppp
/usr/isi/config/hosts:
munich 49.911.967327.
gate16 49.911.967321.
/usr/isi/config/ipif:
NET is1 TYPE isdn ADDR 80.0.0.5
with releases < 4.3 you could use the following notation:
(Be careful, this do not work in any case, better use Rel. >=
4.3)
---------------------------------------------------------
/usr/isi/config/ip:
INET 80.0.0.9 ISDN munich,ppp PPP CHAPIN test CHAPOUT test
INSECURE
with releases >= 4.3 you have to use the following notation:
------------------------------------------------------------
/usr/isi/config/ip:
INET 80.0.0.9 ISDN munich,ppp PPP CHAPIN munich:test CHAPOUT
gate16:test INSECURE
MUNICH (CLI: + 49 911 967327, IP-address: 80.0.0.9):
---------------------------------------------------
Using 3002 out of 32762 bytes
!
version 10.0
!
hostname munich ---- <-> Local PPP ID (munich)
!
...
!
username gate16 password 7 131112011F ---- <-> PPP password
(test)
... (131112011F = test)
! Partner PPP ID (gate16)
...
!
interface BRI0
ip address 80.0.0.9 255.0.0.0
encapsulation ppp
no keepalive
dialer map IP 80.0.0.5 name gate16 967321
dialer-group 1
ppp authentication chap ---- <-> CHAPIN ... CHAPOUT ...
!
...
!
end
ANNOTATION:
----------
encapsulation hdlc instead of PPP:
- only works with the BinTec/DOS-Pack - Release >= 1.45
This HDLC (from CISCO) is a special framing (HDLC-Info + 4 Byte
from CISCO)
Using (CISCO-) HDLC encapsulation:
IP file example configuration entry:
INET 80.0.0.9 ISDN munich,tcp/ip4 CISCOHDLC
At the Cisco router select hdlc encapsulation and turn off keep
alive packets.
-> Further hints in your BIANCA/BRI manual coming with your
DOS-PACK.
A.1 ISI/IP Default configuration in the services file
------------------------------------------------------------------------------
part of /usr/isi/config/services:
LOCAL ppp 0070002 NOL3;NOL2
LOCAL ppp-m 001...2 NOL3;NOL2;MODEM
LOCAL ppp-a 0070007 NOL3;NOL2;ASYNC(speed=38400)
* ppp 0070002 NOL3;NOL2
* ppp-m 0010022 NOL3;NOL2;MODEM
* ppp-a 0070007 NOL3;NOL2;ASYNC(speed=38400)
ISI/IP Protocol parameters Layer 1:
-----------------------------------
L1HDLC: sync=64000 (network transfer rate)
MODEM: law=0 type=0 bpc=8 stopb=1 parenb=0 parodd=1
^ ^ ^ ^ ^ ^
^ ^ ^ ^ ^ ^
a-Law Auto-Modus Bits per char stop bit no parity . Par.
ASYNC: speed=9600 bpc=8 stopb=1 parenb=0 parodd=1
Used inband protocol: LCP
A.2 PPP - Tracing - Example trace (test with a CISCO)
------------------------------------------------------------------------------
Trace description, e.g ielctrace:
---------------------------------
usage: ielctrace [-h23aFpitx] [-f <device>] [-T
<tei>] [-c <cref>] <chan> <board>
-h hexadecimal output
-2 layer 2 output
-3 layer 3 output
-a asynchronous HDLC (B-Channel only)
-F FAX (B-Channel only)
-p PPP (B-Channel only)
-i IP output (B-Channel only)
-t ascii text output (B-Channel only)
-x raw dump mode
-T set tei filter (D-Channel only)
-c set callref filter (D-Channel only)
-f device to use [/dev/ielcx, /dev/iqx, ...]
<chan> 0 = D-Channel
1..31 = Bx-Channel
<board> 0..15
Example trace (test with a CISCO):
----------------------------------
ielctrace -pi 1 (i.e. trace of b1 channel) at the gate16 side
ping form munich to gate16
--------------------------------------------------------
timestamps
R/X .. receive/send
003319.850 R ACTIVATE --- b channel activation
003319.930 R DATA[0019]
PPP packet protocol 0xc021 (LCP)
ID 9 LCP Configure-Request
Authentication Protocol CHAP; --- partner wants to make CHAP
Magic-Number 0x001d16c8;
003319.940 X DATA[0013]
PPP packet protocol 0xc021 (LCP)
ID 1 LCP Configure-Request
Authentication Protocol CHAP;
003319.940 X DATA[0019]
PPP packet protocol 0xc021 (LCP)
ID 9 LCP Configure-Ack
Authentication Protocol CHAP;
Magic-Number 0x001d16c8;
003319.950 R DATA[0013]
PPP packet protocol 0xc021 (LCP)
ID 1 LCP Configure-Ack
Authentication Protocol CHAP;
003319.950 X DATA[0019]
PPP packet protocol 0xc223 (CHAP)
ID 1 CHAP Challenge Value Length 4 Name gate16
003319.950 R DATA[0018]
PPP packet protocol 0xc223 (CHAP)
ID 13 CHAP Challenge Value Length 4 Name munich
003319.960 X DATA[0031]
PPP packet protocol 0xc223 (CHAP)
ID 13 CHAP Response Value Length 16 Name gate16
003319.960 R DATA[0030]
PPP packet protocol 0xc223 (CHAP)
ID 1 CHAP Response Value Length 16 Name munich --- challenge and
responses are ok
003319.970 X DATA[0010]
PPP packet protocol 0xc223 (CHAP)
ID 1 CHAP Success Message Hi --- password authentification
is also ok
003319.970 R DATA[0008]
PPP packet protocol 0xc223 (CHAP)
ID 13 CHAP Success Message
003319.970 X DATA[0008]
PPP packet protocol 0x8021 (IPCP)
ID 1 IPCP Configure-Request
003319.980 R DATA[0014]
PPP packet protocol 0x8021 (IPCP)
ID 21 IPCP Configure-Request
IP-Address 80.0.0.9;
003319.980 R DATA[0008]
PPP packet protocol 0x8021 (IPCP)
ID 1 IPCP Configure-Ack
003319.980 X DATA[0014]
PPP packet protocol 0x8021 (IPCP)
ID 21 IPCP Configure-Ack
IP-Address 80.0.0.9;
003321.450 R DATA[0104] --- Here are the ping packets
PPP packet protocol 0x21 (TCP/IP)
IP-Packet from 80.0.0.9 to 80.0.0.5 protocol 0x1
ICMP-Message , type echo request
003321.460 X DATA[0104]
PPP packet protocol 0x21 (TCP/IP)
IP-Packet from 80.0.0.5 to 80.0.0.9 protocol 0x1
ICMP-Message , type echo reply
003341.720 R DATA[0008]
PPP packet protocol 0xc021 (LCP)
ID 2 LCP Terminate-Ack
003341.720 R DATA[0019]
PPP packet protocol 0xc021 (LCP)
ID 10 LCP Configure-Request
Authentication Protocol CHAP;
Magic-Number 0x001d6be0;
003344.720 X DATA[0008]
PPP packet protocol 0xc021 (LCP)
ID 3 LCP Terminate-Request
003344.720 R DATA[0008]
PPP packet protocol 0xc021 (LCP)
ID 3 LCP Terminate-Ack --- PPP connection is terminated
003344.730 R DEACTIVATE --- deactivation of the b channel
FAQ-Indexseite