Questions about the principles of PAP and CHAP in PPP authentication
Objective: 1. What is the process of PAP and CHAP? 2. Why do the passwords on both sides of PAP can be set differently, and CHAP must be set the same? 3. complete their configuration. The PasswordAuthentication Protocol is used in the data frame process of the forensic Protocol. Two handshakes are used to provide a simple plaintext authentication method. The authentication is based on the initial PPP link (LCP process of PPP. The following is a one-way PAP authentication instance. vror2 R2 is the authentication server, and vror1 R1 is the verified client. The working principle of PAP authentication is shown in Figure 8.29: Step 1: R1 initiates an initial PPP connection to R2, which is actually the LCP initial connection described above. Step 2: After completing the initial LCP connection of PPP, R2 requires R1 to provide PAP authentication of PPP. In fact, PAP authentication is also completed in the LCP stage. Step 3: R1 sends the user name "R1" and password "cisco" to R2. The data frame sent by R2. see Figure 8.30, authenticate-Request ). Note: At this time, the user name and password sent by R1 are not encrypted. In other words, it is easy to be listened and stolen by third-party users. Therefore, the security of PAP is not very high. Please use it with caution. From the data frame in Figure 2, we can clearly see the content of the sent user name and password string. Step 4: When R2 receives the user name and password sent from R1, R2 will match the authentication information sent from R1 in its local security database, if the connection can match the user name and password sent from R1, and the connection is sent back to R1 authentication confirmation message (Authenticate-Ack), the data frame is shown in 8.31. If the authentication fails, the connection is rejected. Demonstration: ppp pap authentication configuration demonstration goal: to achieve the PAP authentication configuration on the Cisco router PPP link. Demo environment: see Figure 8.32. Demo tool: Two Cisco routers require that the routers support the serial port module. Demonstration Background: In this demonstration environment, two Cisco routers are connected point-to-point using serial ports, and then PPP protocol encapsulation is started on point-to-point links. First, complete the one-way authentication configuration of PAP, require router R2 to authenticate the PAP access of router R1, and then complete the two-way PAP authentication configuration, requiring router R1 and R2 to authenticate each other, and use different password strings. Demo step: Step 1: Configure one-way PAP authentication and require R2 to authenticate the PPP connection of R1. Complete the following configurations on the routers R1 and R2: one-way PAP authentication configuration on the routers R2: R2 (config) # username r1 password cisco R2 (config) # inte s1/0 R2 (config-if) # ipaddress 192.168.3.2 255.255.255.252 R2 (config-if) # encapsulationppp R2 (config-if) # pppauthentication pap R2 (config-if) # noshutdown command explanation: Command username r1 password cisco indicates that a vror2-based local security database is created on vror2 R2. The created username is R1 and the password is cisco. When R1 sends the user name and password to R2 through the PAP authentication request message, R2 matches the user name and password sent from R1 with the user and password in the security database. The pppauthentication pap command in vros1 S1/0 interface mode requires this interface to enable the PAP authentication function. Configuration of one-way PAP authentication on router R1: R1 (config) # inte s1/0 R1 (config-if) # ipaddress 192.168.3.1 255.255.252 R1 (config-if) # encapsulationppp R1 (config-if) # ppppap sent-username r1 password cisco R1 (config-if) # noshutdown command explanation: command ppp pap sent-username r1 password cisco instructs router R1 to send its user name R1 and password cisco to router R2 for PAP authentication. Because the current configuration is one-way PAP authentication, only the router R2 is required to authenticate the PAP access of R1, so there is no need to establish a local security database on the router R1 and start the PAP authentication, because R1 is only the client for PAP authentication. Step 2: After completing the preceding configuration, one-way PAP authentication is configured. Now we need to check the configuration result of this one-way PAP authentication. First, use the Shutdown command in S1/0 interface mode of router R2 to disable this interface, and then start the debug ppp authentication command in privileged mode of router R2 to debug the specific process of ppp authentication, then re-activate the S1/0 interface of router R2. debug will prompt the result shown in 8.33. We can see from the result that the PAP authentication peer is router R1, the authentication result is PASS ). Note: in step 2, why do I need to first disable the S1/0 interface of router R2, and then activate the interface after debug is started? The reason is simple, because PAP authentication is completed in the LCP phase of the PPP link. If the link has completed LCP negotiation, debug will not see any message about PAP authentication. Step 3: Configure two-way PAP authentication and set different password strings for the routers R1 and R2, respectively, to create a local security database on the routers R1 and R2, the specific configurations of the two routers are as follows. After the configuration is complete, you can test the connectivity with router R1 on router R2, as shown in Figure 8.34, which indicates the communication effect after two-way authentication is successful. Configuration of two-way PAP authentication on vror2 R2: R2 (config) # username r1 password cisco R2 (config) # inte s1/0 R2 (config-if) # ipaddress 192.168.3.2 255.255.255.252 R2 (config-if) # encapsulationppp R2 (config-if) # pppauthentication pap R2 (config-if) # ppppap sent-username r2 password ccna R2 (config-if) # configuration of two-way PAP authentication on noshutdown router R1: R1 (config) # usernamer2 password ccna R1 (config) # inte s1/0 R1 (config-if) # ipaddress 192.168.3.1 255.255.255. 252 R1 (config-if) # encapsulationppp R1 (config-if) # pppauthentication pap R1 (config-if) # ppp papsent-username r1 password cisco R1 (config-if) # noshutdown Note: The difference between PAP two-way authentication and one-way authentication is that the two routers that authenticate each other need to configure the local security database of the other party, you must send corresponding authentication messages to the peer. It is worth noting that the two-way authentication password strings can be different, please note that distinguish the CHAP authentication described in the following section. Understanding and collecting evidence: the working principle of ppp chap (Challenge Handshake AuthenticationProtocol) challenges the Handshake authentication protocol, which is very different from PAP, CHAP does not send a plaintext password on the link. Instead, it uses three handshakes to confirm the digest message for security authentication. Therefore, CHAP is more secure than PAP. So what is the three-way handshake process of CHAP? What is a CHAP digest message? See the following section for how CHAP works, as shown in Figure 8.35. Step 1: Before performing CHAP authentication on routers R1 and R2, you must first set an identical pre-shared key string, such as "ccna", at both ends of the authentication peer ". Note: The keys at both ends must be the same. Step 2: vror2 R2 generates a random number and then processes the random number. First, the random number is sent to vror1 R1. This is the first process of CHAP three-way handshake, the challenge (challenge) message that sends CHAP is shown in Figure 8.36. The message type of CHAP and the random number of R2. The second is to put the random number and the key on your own side (this key fact is a pre-shared key pre-negotiated by R2 and R1) into the MD5 key generator for MD5 calculation, then extract a digest message from the MD5 calculation result. Step 3: When the router R1 receives the random number sent by the router R2, it will associate the random number with the R1 key (this key is actually a pre-negotiated password between R2 and R1) enter the MD5 key generator for MD5 calculation, and then send the digest value generated by the MD5 key generator to r2. This is the second process of CHAP three-way handshake called CHAP response message. The specific data frame is shown in Figure 8.37. From the data frame, we can see that what R1 sends to R2 is not a plaintext password, but a digest message after processing, which is very different from the PAP authentication, therefore, CHAP is more secure than PAP. Step 4: When router R2 receives the digest message sent from R1, it compares it with the digest value calculated by router R2 itself in step 2. if the result is the same, it indicates that CHAP authentication is successful, the authentication confirmation message of concurrent back CHAP. The specific data frame is shown in Figure 8.38, and then enters the NCP process of PPP. If not, the link is cut off. Note: according to the analysis of the CHAP authentication principle, it is not difficult to see that the keys on Both routers R1 and R2 must be the same. Because they belong to the key of the "pre-shared" mechanism, and the key is a key factor for both sides to generate an MD5 Digest at the same time. If the two passwords are different, even the same random number, the MD5 key generator will calculate different results on both sides, and the Digest message will not be able to match. However, the real key content is not used for network transmission. Demonstration: ppp chap authentication configuration demonstration purpose: to configure the CHAP authentication function on the PPP link. Demo environment: see Figure 8.39. Demo tool: Two Cisco routers require that the routers support serial port modules. Demonstration Background: In this demonstration environment, two Cisco routers are connected point-to-point using serial ports, and then PPP protocol encapsulation is started on point-to-point links. Complete CHAP authentication configuration first. Demonstration step: Step 1: Configure CHAP authentication on the PPP links of routers R1 and R2. Configuration on router R1: r1 (config) # username r2 password ccna r1 (config) # interfaces1/0 r1 (config-if) # ipaddress 192.168.3.1 255.255.255.252 r1 (config-if) # encapsulationppp r1 (config-if) # pppauthentication chap r1 (config-if) # pppchap hostname r1 r1 (config-if) # pppchap password ccna command explanation: command username r2 password ccna indicates that a local security database based on the vror1 is created on router R1. The created username is r2 and the password is ccna. In fact, the password here is the pre-shared key described in the working principle of CHAP, so the user name on router R1 can be different, but the password must be the same as the password string on router R2; command ppp authentication chap indicates that CHAP authentication is enabled on the PPP link; command ppp chap hostnamer1 indicates that the user name used for CHAP authentication is defined; the command ppp chap password ccna instructs you to define the shared key used for CHAP authentication. Configuration on vror2 R2: r2 (config) # username r1 password ccna r2 (config) # interfaces1/0 r2 (config-if) # ipaddress 192.168.3.2 255.255.255.252 r2 (config-if) # encapsulationppp r2 (config-if) # pppauthentication chap r2 (config-if) # pppchap hostname r2 r2 (config-if) # pppchap password ccna note: the CHAP configuration command on vror2 R2 is basically the same as that on vror1 R1 except the user name. It is worth mentioning that, when a student understands CHAP, there is a serious misunderstanding that, as long as the password in the security database of the other party is the same as the password sent locally, the negotiation can be successful, in fact, this is wrong, and no password is sent locally. In the interface mode, the ppp chap password ccna does not send the password to the peer for verification. This error fully applies the working principle of PAP to CHAP authentication, therefore, be sure to use it with caution. Step 2: After completing the above configuration, a CHAP authentication on the PPP link is complete. Now we need to check the configuration result of this CHAP authentication. First, use the Shutdown command to disable this interface in S1/0 interface mode of router R2, start the debug ppp authentication command in the vror2 R2 privileged mode to debug the specific ppp authentication process, and then reactivate the S1/0 interface of vror2 R2, debug will prompt the result shown in 8.40. The result shows the three-way handshake process of CHAP. The authentication result is PASS (PASS ).