Ppp chap configuration "Big method"

We know that the establishment of PPP protocol sessions involves many authentication configurations. Now we will explain the configuration of ppp chap. In general, this article focuses on three parts: PPP overview, CHAP principle, and CHAP configuration.

Ppp chap configuration 1 PPP Overview

Point-to-Point Protocol (PPP) is the data link layer Protocol for Point-to-Point line launched by IETFInternet Engineering Task Force and Internet Engineering Task Group. It solves problems in SLIP and becomes a formal Internet standard.

The PPP protocol is described in RFC 1661, RFC 1662, and RFC 1663.

PPP supports transmission of upper-layer protocol packets over various physical point-to-point serial lines. PPP has many optional features, such as supporting multiple protocols, providing optional identity authentication services, compressing data in various ways, Supporting Dynamic Address negotiation, and supporting multi-link bundling. These rich options enhance the PPP function. At the same time, both asynchronous dialing lines and synchronous links between routers can be used. Therefore, it is widely used.

This document describes the identity authentication function of PPP.

Ppp chap configuration 2 CHAP Principle

PPP provides two optional Authentication methods: Password Authentication Protocol PAPPassword Authentication Protocol, PAP) and question Handshake Protocol Challenge Handshake Authentication Protocol, CHAP ). If both parties reach an agreement through negotiation, no identity authentication method can be used.

CHAP authentication is safer than PAP authentication because CHAP does not send plaintext passwords online, but sends random sequences processed by the Digest algorithm. It is also known as "challenge string". 1. At the same time, identity authentication can be performed at any time, including during normal communication between the two parties. Therefore, even if an invalid user intercepts and successfully cracks the password, the password will be invalid for a period of time.

Figure 1 CHAP

CHAP has high requirements on the end system because it requires multiple identity questions and responses. This requires a lot of CPU resources, so it is only used in scenarios with high security requirements.

Ppp chap configuration 3 CHAP Configuration

3.1 basic PPP Configuration

For synchronous serial interfaces, the default Encapsulation Format is HDLCCisco private implementation ). You can use the encapsulation ppp command to change the encapsulation Format to PPP.2.

Figure 2 PPP serial Encapsulation

When either party encapsulates HDLC and the other is PPP, negotiation on the Encapsulation Protocol fails. In this case, the link is in the co-operative state to disable protocol down. Communication fails. 3.

Figure 3 inconsistent encapsulation formats of router serial interfaces

At this time, the route table of the router and router B will be empty before the router and router B are successfully established.

3.2 ppp chap Configuration

3.2.1 CHAP authentication process

Like PAP, CHAP authentication can be performed by one party, that is, one party authenticates the identity of the other party, or two-way identity authentication. At this time, both parties are required to pass the authentication process of the other party. Otherwise, the link between the two cannot be established. The following uses unilateral authentication as an example to analyze the CHAP configuration process and diagnostic methods.

4. When both parties encapsulate the PPP protocol and require CHAP authentication, and the link between them is activated at the physical layer, the authentication server will continuously send authentication requests until the authentication succeeds. Unlike PAP, the authentication server sends a "challenge" string.

Figure 4 CHAP Verification

In Figure 4, when the authentication client is authenticated to one end) router RouterB sends a response packet to the "challenge" string, the authentication server verifies the identity of the other end according to the digest algorithm MD5. If it is correct, the identity authentication is successful, and the links of both parties are successfully established.

If RouterB at the authenticated end sends an incorrect "challenge" response packet, the authenticated server continues to send authentication requests until it receives the correct response packet.

3.2.2 configure the CHAP authentication server

The configuration of the CHAP authentication server is divided into two steps: creating a Local Password Database and requiring CHAP authentication.

Create a Local Password Database

Use the command username password in global mode to add records for the Local password Database. Note that the username here should be the name of the Peer router, that is, routerb, as shown below:

RouterAconfig) # username routerb password samepass

CHAP authentication required

In the interface configuration mode, run the ppp authentication chap command. As follows:

RouterAconfig) # interface serial 0/0

RouterAconfig-if) # ppp authentication chap

3.2.3 configure the CHAP authentication Client

Only one step is required for the configuration of the CHAP authentication client), that is, to create a local password database. Note that the username here should be the name of the Peer router, that is, the routername, And the password should be the same as the password in the password database of the CHAP authentication server. As shown below.

RouterBconfig-if) # username routerpassword samepass

3.2.4 CHAP Diagnosis

You can also use the debug ppp authentication command to diagnose problems in CHAP authentication. 5. It indicates that the "challenge" response packet sent by the authentication client is not authenticated by the authentication server.

Figure 5 output of the debug ppp authentication command

Figure 6 shows that after several authentication requests, the authentication server finally receives the correct "challenge" response packet sent by the authentication client. At this time, the links of both parties will be successfully established.

Figure 6 output of the debug ppp authentication command

Note:

1. Passwords are case sensitive during CHAP authentication.

2. Identity Authentication can also be performed in two directions, that is, mutual authentication. The configuration method is similar to one-way authentication, except that both parties must be configured as the authentication server and the authentication client at the same time.

3. The password database can also be stored on AAA or TACACS + servers other than routers. We will not go into details here.

The methods selected by both parties for communication authentication may be different. For example, if one party chooses PAP and the other party chooses CHAP, the authentication negotiation between the two parties will fail. To avoid such failure during the authentication protocol, you can configure the router to use two authentication methods. When the first authentication negotiation fails, you can try another authentication method. The following command is used to configure the vro to use the PAP authentication method. If it fails, use the CHAP authentication method.

RouterAconfig-if) # ppp authentication pap chap

The following command is opposite: first use CHAP authentication, and then use PAP authentication after negotiation fails.

RouterAconfig-if) # ppp authentication chap pap

The above is detailed about the ppp chap configuration. I hope you will be able to understand this through the explanation in this article.