As more and more small organizations use wide area networks to connect their branches. Due to the price and flexibility of leased lines (Common leased lines and DDN), various types of switching networks such as telephone dialing and ISDN can be used.
However, the dial-up access method has security problems. Generally, all types of password authentication are used in dial-up access servers on the Internet. PAP and CHAP are usually used.
Security Authentication Mechanism
The main principle of PAP authentication is that when machine A wants to connect to machine B through the PPP protocol, and machine B sets the PAP authentication, after machine A dials B, send your own name and password to machine B. After B finds that the Password Matches the name in the user database, A and B can continue IP address negotiation. Otherwise, B will cut down the line.
The PAP protocol is only performed during connection setup and does not undergo PAP authentication during data transmission.
The main principle of CHAP authentication is that when machine A wants to connect to machine B through the PPP protocol and machine B sets CHAP authentication, after machine A dials B, machine B sends A random piece of data and its own name to A. machine A finds the password Based on the name and uses it to encrypt the received random data using the MD5 Algorithm to obtain the 16-byte encryption result, then A sends the result together with B's own name to B. After receiving the report, B first finds the password of A and uses the password to send random data, use the MD5 Algorithm to encrypt and compare the self-calculated encryption results with the encryption results received from A. If they are consistent, A and B can continue to negotiate, otherwise B will cut the line.
CHAP is not only performed in the connection establishment phase, but will also be performed in the subsequent data transmission phase at random intervals. If the results are inconsistent, B will also cut the line.
Because the high security level is inversely proportional to the connection speed, many accesses to the Internet adopt PAP protocol authentication. Generally, after entering the dial-up access server, remote visitors still need to pass the host password check, so security will not be a problem, but the access rate of domestic remote access is low, using PAP can improve some efficiency.
Internal router Authentication
When using a dedicated router, other servers are generally used for security authentication, so installation, use, and maintenance are troublesome. If only a few users use it, or use a dial-up password together in a dedicated software, it would be even worse. In this case, you can use the internal router authentication method. The configuration of the Cisco router is as follows:
Hostname 2509 (vro name)
!
Enable password cisco (vroglobal GLOBAL Status password)
!
Username cisco password 0 cisco (remote user name, password)
!
Interface Ethernet0
Ip address 202.100.99.5 255.255.255.0
No shut
!
Interface Group-Async1
Ip unnumbered Ethernet0
Encapsulation ppp
Async dynamic routing
Async mode interactive (this mode can be switched between the terminal mode and the PPP mode)
Peer default ip address pool default
Ppp authentication pap
Group-range 1 8
!
Ip local pool default 202.100.99.2 202.100.99.254
Ip classless
!
Line con 0
Line 1 8
Autoselect ppp
Login local (local authentication)
Modem InOut
Autocommand ppp
Transport input all
Stopbits 1
Speed115200
Flowcontrol hardware
Line vty 0 4
Password cisco
Login
!
End
This configuration can be used as a dial-up access server for internal communication. It is also a standard Intranet configuration and can be used by various dial-up software such as the dial-up network function of Windows 95, connect to internal servers such as WWW.
Article entry: csh responsible editor: csh