Principles and configurations of pap and chap for ppp authentication (Cisco router)

I. Prerequisites: 1. PPP definition: Point to Point Protocol (PPP) is an IETF (Internet Engineering Task Force, Internet Engineering Task Group) launched the data link layer protocol for point-to-point lines. This protocol is not a proprietary protocol and can connect devices of different vendors. Supports multiple protocols, optional authentication services, various data compression methods, dynamic address negotiation, and multi-link bundling. 2. PPP Authentication: www.2cto.com 2.1, PAP Authentication: PAP: Password Authentication Protocol, full name: Password Authentication Protocol. PAP is a two-way handshake authentication protocol. When the link is initialized for the first time, the authenticated end first initiates an authentication request and sends the user name and password information to the authenticated end for identity authentication. The password and password are sent in plain text, so the security is low. PAP supports single and two-way authentication. The authentication flowchart and single and two-way authentication are as follows: authentication flowchart: single two-way authentication: www.2cto.com 2.2, CHAP authentication: CHAP: Challenge Handshake Authentication Protocol, full name: challenge Handshake Authentication Protocol. CHAP verifies the identity of the authenticated end through a three-way handshake. It is completed when the initial link is established. To improve security, it is periodically verified after the link is established. CHAP is safer than PAP because CHAP does not send plain text online, but instead sends a random number sequence that has passed MD5. CHAP supports one-way and two-way authentication. CHAP authentication is as follows:
Www.2cto.com 3. Configuration 3.1, configuration environment: 1. Simulation Environment: Cisco Packet Tracer 5.32, analog router: Cisco Router-PT3, connection serial port: R_A --> s2/0; r_ B --> s3/03.2, PAP Certification: 3.2.1, PAP one-way authentication: 1, R_A configuration information: hostname R_Ainterface serial/0 ip address 192.168.1.1 255.255.255.0 encapsulation ppp pap sent-username R_A password 0 123 clock rate 64000R_A (config-if) # ip address 192.168.1.1 255.255.255.0R _ A (config-if) # no shutdown % LINK-5-CHANGED: Interface serial/0, Changed state to up2, R_ B configuration information: www.2cto.com Router> enRouter # conf tEnter configuration commands, one per line. end with CNTL/Z. router (config) # hostname R_BR_ B (config) # username R_A password 0 123R_ B (config) # interface s3/0R_ B (config-if) # encapsulation pppR_ B (config-if) # ppp authentication papR_ B (config-if) # ip address 192.168.1.2 255.255.255.0R _ B (config-if) # no shutdown3. Verification: On router R_A: R_A # debug ppp authenti Cation PPP authentication debugging is onserial/0 Using hostname from interface papserial/0 Using password from interface papserial/0 PAP: O AUTH-REQ id 17 len 15serial/0 PAP: Phase is FORWARDING, attempting Forward % LINEPROTO-5-UPDOWN: Line protocol on Interface serial/0, changed state to up on router R_ B: www.2cto.com R_ B # ping 192.168.1.1Type escape sequence to abort. sending 5, 100-byte ICMP Echos To 192.168.1.1, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/4/6 ms3.2.2, PAP two-way authentication: (The two-way authentication configuration is based on the one-way authentication configuration) 1. Add User Information and authentication method on R_A: R_A # conf tEnter configuration commands, one per line. end with CNTL/Z. R _ A (config) # username R_ B password 0 123R_A (config) # interface s2/0R_A (config-if) # ppp authentication pap2. Add send authentication information on R_ B: r_ B # conf tEnter configuration commands, one per line. end with CNTL/Z. R _ B (config) # inter s 3/0R_ B (config-if) # ppp pap sent-username R_ B password 0 1233, verification: R_A # ping 192.168.1.2Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/6/16 ms3.3, CHAP authentication: 3.3.1, CHAP one-way authentication: 1, R_A (authenticated end) configuration information: hostname R_Ausername R_ B password 0 123 interface serial/0ip address 192.168.1.1 255.255.255.0encapsulation pppclock rate 640002, R_ B (authentication end) configuration information: hostname R_Busername R_A password 0 123 interface seri_3/0ip address 192.168.1.2 255.255.255.0encapsulation pppppp authentication chap3.3.2, CHAP two-way authentication 1. Configure R_A on the R_A router as follows: R_A # conf tEnter configuration commands, one per line. end with CNTL/Z. R _ A (config) # inter s2/0R_A (config-if) # ppp authentication chap % LINEPROTO-5-UPDOWN: Line protocol on Interface serial/0, changed state to down % LINEPROTO-5-UPDOWN: line protocol on Interface serial/0, changed state to up2, verification: R_A (config-if) # do ping 192.168.1.2Type escape sequence to abort. sending 5, 100-byte ICMP E Chos to 192.168.1.2, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/9/35 MS
Iv. Idea: www.2cto.com 1. ing between user name and password information and host name; 2. ing between the authenticated end and the authenticated end; 3. Case Sensitive authentication information; 4. If the configuration does not take effect after modification, restart the port. 5. common troubleshooting commands: show running configurationshow interface sx/x/xdebug ppp authentication6. The authentication information can be placed on a third-party server-AAA or TACACS + server.