CHAP is one of the most important authentication methods in PPP. We also learned about the authentication of the PPP protocol. This includes CHAP authentication. Many may be confused about the CHAP configuration. This involves the use of ppp authentication. This time, we will focus on the relevant content.
CHAP Configuration
CHAP authentication process
Like PAP, CHAP authentication can be performed by one party, that is, one party authenticates the identity of the other party, or two-way identity authentication. At this time, both parties are required to pass the authentication process of the other party. Otherwise, the link between the two cannot be established. The following uses unilateral authentication as an example to analyze the CHAP configuration process and diagnostic methods.
1. When both parties encapsulate the PPP protocol and require CHAP authentication, and the link between them is activated at the physical layer, the authentication server will continuously send authentication requests until the authentication succeeds. Unlike PAP, the authentication server sends a "challenge" string.
Figure 1 chap Verification
In Figure 1, when the authentication client is authenticated to one end) router RouterB sends a response packet to the "challenge" string, the authentication server verifies the identity of the other end according to the digest algorithm MD5. If it is correct, the identity authentication is successful, and the links of both parties are successfully established.
If RouterB at the authenticated end sends an incorrect "challenge" response packet, the authenticated server continues to send authentication requests until it receives the correct response packet.
Configuration of the CHAP authentication server
The configuration of the CHAP authentication server is divided into two steps: creating a Local Password Database and requiring CHAP authentication.
Create a Local Password Database
Use the command username password in global mode to add records for the Local password Database. Note that the username here should be the name of the Peer router, that is, routerb, as shown below:
RouterAconfig) # username routerb password samepass
CHAP authentication required
In the interface configuration mode, run the ppp authentication chap command. As follows:
RouterAconfig) # interface serial 0/0
RouterAconfig-if) # ppp authentication chap
Configure the CHAP authentication Client
Only one step is required for the configuration of the CHAP authentication client), that is, to create a local password database. Note that the username here should be the name of the Peer router, that is, the routername, And the password should be the same as the password in the password database of the CHAP authentication server. As shown below.
RouterBconfig-if) # username routerpassword samepass
CHAP Diagnosis
You can also use the debug ppp authentication command to diagnose problems in CHAP authentication. 2. It indicates that the "challenge" response packet sent by the authentication client has not passed the authentication of the authentication server.
Figure 2 output of the debug ppp authentication command
Figure 3 shows that after several authentication requests, the authentication server finally receives the correct "challenge" response packet sent by the authentication client. At this time, the links of both parties will be successfully established.
Figure 3 output of the debug ppp authentication command
Note:
1. Passwords are case sensitive during CHAP authentication.
2. Identity Authentication can also be performed in two directions, that is, mutual authentication. The configuration method is similar to one-way authentication, except that both parties must be configured as the authentication server and the authentication client at the same time.
3. The password database can also be stored on AAA or TACACS + servers other than routers. We will not go into details here.
The methods selected by both parties for communication authentication may be different. For example, if one party chooses PAP and the other party chooses CHAP, the authentication negotiation between the two parties will fail. To avoid such failure during the authentication protocol, you can configure the router to use two authentication methods. When the first authentication negotiation fails, you can try another authentication method. The following command is used to configure the vro to use the PAP authentication method. If it fails, use the CHAP authentication method.
RouterAconfig-if) # ppp authentication pap chap
The following command is opposite: first use CHAP authentication, and then use PAP authentication after negotiation fails.
RouterAconfig-if) # ppp authentication chap pap