Preface: Today I saw the chap certification experiment of the Yan brothers. I think I helped my classmates solve a problem about pap and CHAP authentication, now we will summarize the PAP and CHAP authentication in PPP. Lab level: aassistant lab topology:
Experiment Description: There are two authentication methods in PPP: pap and chap. These two authentication methods can be used separately or in combination. You can perform one-way authentication or two-way authentication. PAP verifies chap by verifying that the remote user name and password match. It sends a challenge package, then, the user name and password of the remote database are calculated using MD5, and a value is returned. Then, the sender verifies whether the value is consistent with the calculated value to verify the basic configuration: r1 :! Hostname R1 ---------------------------------------------------------- set the host name to "R1 "! Interface serial1/0ip address 1.1.1.1 255.255.0encapsulation PPP ----------------------------------------------------- set the encapsulation to pppr2: Hostname R2! Interface serial1/0ip address 1.1.1.2 255.255.255.0encapsulation PPP through the above configuration, without any authentication enabled, the link is connected. Configuration steps: 1. perform Pap authentication on the two routers: If we perform individual authentication, the configuration should be as follows: R1 is the authenticated server, and a local password database needs to be created and the PAP authentication starts. R1 (config) # username R2 password gairuhe ---------------------- create a Local Password Database r1 (config) # int S1/0r1 (config-If) # PPP authentication pap ------------------------------ requires pap authentication. In this configuration, we can see that the link has been down: r1 (config-If) # * Aug 23 16:45:12. 639: % LINEPROTO-5-UPDOWN: Line protocol on interface serial1/0, changed state to down
R2 is the authenticated client, and the user name and password must be sent to match the password database on the server.
Add the following configuration on R2:
R2 (config) # int S1/0
R2 (config-If) # PPP pap sent-username R2 password gairuhe ------ send username and password R2 (config-If) # * Aug 23 16:47:48. 635: % LINEPROTO-5-UPDOWN: Line protocol on interface serial1/0, changed state to up now the link is up, we only performed authentication on R1, but not on R2. This is the one-way authentication of pap. Two-way authentication of PAP: the two-way authentication of PAP is to configure both ends as the authentication server and the authentication client at the same time. Based on the above experiment, we only need to configure R2 as a server and R1 as a client. R2 (config) # username R1 password gairuhe R2 (config) # int S1/0r2 (config-If) # PPP authentication papr2 (config-If) # * Aug 23 16:52:29. 843: % LINEPROTO-5-UPDOWN: Line protocol on interface serial1/0, changed state to down
R1 (config-If) # int S1/0
R1 (config-If) # PPP pap senr1 (config-If) # PPP pap sent-username R1 password gairuher1 (config-If) # * Aug 23 16:53:08. 343: % LINEPROTO-5-UPDOWN: Line protocol on interface serial1/0, changed state to up2. based on the above experiment, R1 is changed to CHAP authentication, while R2 remains unchanged. Open the debug PPP authentication information. Perform the following changes on r1 (config-If) # No PPP authentication papr1 (config-If) # No PPP pap sent-username R1 password gairuher1 (config-If) # PPP authentication chap we found that the link status has not changed and no debug information is generated. This means that after the link has been established, no further authentication is required. Let's put the S1/0 port shut down in no shut down to see the situation r1 (config-If) # shutr1 (config-If) # No shutr1 # * Aug 23 17:00:19. 663: SE1/0 PPP: authorization required at this time, it is found that the link has been disconnected and requires PPP authentication. perform CHAP authentication on the two routers. First, disable the PAP authentication of R2 (config-If) # No PPP Authen papr2 (config-If) # No PPP pap sent-username R2 password gairuhe we can see R1 through the debug information #
* Aug 23 17:07:24. 031: SE1/0 PPP: authorization required * Aug 23 17:07:24. 063: SE1/0 chap: O challenge ID 42 Len 23 from "R1" * Aug 23 17:07:24. 095: SE1/0 chap: I response ID 42 Len 23 from "R2" * Aug 23 17:07:24. 099: SE1/0 PPP: Sent chap Login Request * Aug 23 17:07:24. 103: SE1/0 PPP: received login response fail * Aug 23 17:07:24. 107: SE1/0 chap: O failure ID 42 Len 25 MSG is "authentication failed" we see Cha P authentication is performed by sending a challenge message. Enable CHAP authentication on R2 R2 (config) # int S1/0r2 (config-If) # PPP authentication chapr2 (config) # * Aug 23 17:11:41. 839: % LINEPROTO-5-UPDOWN: Line protocol on interface serial1/0, changed state to up this time the link has passed. 4. commands used for both authentication are: R2 (config-If) # PPP authentication chap pap or R2 (config-If) # PPP authentication pap chap if two authentication protocols are enabled at the same time, the first authentication method specified in the configuration will be requested during the link negotiation process. If the second verification method is recommended for the device on the other end, or the first verification method fails, try the second verification method between the two devices. To enable both authentication, you only need one authentication to establish Link communication. Conclusion: pap matches the user name and password by sending the message, so we must use the SENT-username ** password ** command, and the user name and password can be captured through the packet capture software, it is transmitted in plaintext.
CHAP authentication process (one-way authentication, R2 is the server side, R1 is the client) R2 first sends a challenge package to R1, the content of the package includes: 01 (identifier, indicating the challenge group) + ID (serial number) + Random Number + User Name (R2)
After receiving this package, R1 calculates the user name (R2), random number, ID, and gairuhe of the challenge package, obtains the MD5 value, and sends it to R2.
The Response Group includes 02 (Response identifier) + ID (same as R2) + Hash (MD5 calculation value) + User Name (R1)
After receiving the packet, R2 finds the challenge package sent by the ID, calculates the ID, random number, and password (search for the password corresponding to R1 through the local database), and obtains the MD5 value.
Then verify that chap is more secure than pap.