CHAP authentication experiment in PPP
1. Introduction to CHAP authentication
1. Both the master and verified parties have a user name and password.
2. The primary authenticated party initiates a request and sends a random packet and the user name of the local end to the authenticated party.
3. the user name received by the authenticated party finds the password corresponding to the same user name as the primary authentication in the User table. If the user name is not found, the authentication fails; if this parameter is found, the password, the local user name, and the previous message id are sent back to the primary authenticated party using the MD5 algorithm-encrypted file.
4. after receiving the message, the primary authenticated party finds the password corresponding to the authenticated user name in its local user database based on the authenticated user name in the message, use the Message ID, password, and MD5 Algorithm to encrypt the original random packet, and then compare the encrypted result with the encrypted result sent by the authenticated party. If they are the same, they pass the authentication. If they do not pass the authentication, the authentication fails.
Ii. experiment environment
650) This. width = 650; "src =" http://cckvm.img42.wal8.com/img42/499446_20141030105743/14146379094.png "width =" 392 "Height =" 94 "alt =" 14146379094.png"/>
The two routers are interconnected through the serial 1/0/0 interface. The interconnection addresses are 10.0.0.1/24 and 10.0.0.2/24 respectively. For CHAP authentication, AR1 is the primary validators and AR2 is the verified party.
III. Basic Experiment Configuration
AR1 interface IP Address Configuration
[AR1] interface Serial 1/0/0
[AR1-Serial1/0/0] IP address 10.0.0.1 24
AR1 creates a verified user
[AR1] aaa
[AR1-aaa] local-user R1 password cipher 123
[AR1-aaa] local-user R1 service-type PPP
AR2 interface IP Address Configuration
[AR2] interface Serial 1/0/0
[AR2-Serial1/0/0] IP address 10.0.0.2 24
Iv. Chap Configuration
1. configuration command
[AR1] int Serial 1/0/0
[AR1-Serial1/0/0] PPP authentication-mode chap
[AR2] interface Serial 1/0/0
[AR2-Serial1/0/0] ppp chap user r1
[AR2-Serial1/0/0] ppp chap password cipher 123
2. packet capture results
650) This. width = 650; "src =" http://cckvm.img42.wal8.com/img42/499446_20141030105743/141463790979.png "width =" 662 "Height =" 54 "alt =" 141463790979.png"/>
The user name is not sent by the primary validators.
The authenticated party has the User Name of the primary validators.
3. The primary validators interface is not configured with ppp chap user R1. When an authentication request is initiated, there is no user name and the user database user name is not directly sent to the other party for verification.
There is no R1 in the user database of the verified party. The CHAP authentication username R1 is configured on the interface. The user priority configured on the interface is higher than that in the database, therefore, the user name of the reply message sent by the verified party is R1.
V. Chap configuration 2
In this experiment, if ppp chap user R1 is added to the AR1 interface, the CHAP authentication request sent by AR1 carries R1.
Add a command to the serial1/0/0 interface on AR1
[AR1-Serial1/0/0] ppp chap user r1
650) This. width = 650; "src =" http://cckvm.img42.wal8.com/img42/499446_20141030105743/141463791025.png "width =" 651 "Height =" 53 "alt =" 141464251025.png"/>
In this way, the authentication request sent by the primary validators has a user name.
Vi. Chap configuration III
In the above experiment, there is no user database in AR2. As the verified party, AR2 sends the authentication reply message to call the username and password configured on the serial1/0/0 interface, if AR2 creates a user name and password for R1, you do not need to configure a password on the interface to directly call the password of AR2's local R1 user.
Configuration command
[AR2] aaa
[AR2-aaa] local-user R1 password cipher 123
[AR2-aaa] local-user R1 service-type PPP
[AR2-Serial1/0/0] Undo ppp chap password \ password can be deleted, the user name can not be deleted, if the user name to delete the master validators will not send the authentication request
650) This. width = 650; "src =" http://cckvm.img42.wal8.com/img42/499446_20141030105743/141463791132.png "width =" 660 "Height =" 51 "alt =" 141464251132.png"/>
Verification passed
The user name on the AR1 interface cannot be deleted.
650) This. width = 650; "src =" http://cckvm.img42.wal8.com/img42/499446_20141030105743/141463791175.png "width =" 664 "Height =" 153 "alt =" 141464251175.png"/>
Unable to pass Verification
VII. Experiment Summary
1. If the primary validators do not match the user name on the interface, the verification request sent to the verified Party does not contain the user name. The verified Party sends a reply message based on the user name and password configured on the interface.
2. If the primary validators configure the user name, the authenticated party can search for the local user database and password based on the user name, and then reply to the primary validators.
This article is from the "kk1230" blog. For more information, contact the author!
CHAP authentication experiment in PPP