Security Authentication in vro

Source: Internet
Author: User
Tags network function

As more and more small organizations use wide area networks to connect their branches. Due to the price and flexibility of leased lines (Common leased lines and DDN), various types of switching networks such as telephone dialing and ISDN can be used.

However, the dial-up access method has security problems. Generally, all types of password authentication are used in dial-up access servers on the Internet. PAP and CHAP are usually used.

Security Authentication Mechanism

The main principle of PAP authentication is that when machine A wants to connect to machine B through the PPP protocol, and machine B sets the PAP authentication, after machine A dials B, send your own name and password to machine B. After B finds that the Password Matches the name in the user database, A and B can continue IP address negotiation. Otherwise, B will cut down the line.

The PAP protocol is only performed during connection setup and does not undergo PAP authentication during data transmission.

The main principle of CHAP authentication is that when machine A wants to connect to machine B through the PPP protocol and machine B sets CHAP authentication, after machine A dials B, machine B sends A random piece of data and its own name to A. machine A finds the password Based on the name and uses it to encrypt the received random data using the MD5 Algorithm to obtain the 16-byte encryption result, then A sends the result together with B's own name to B. After receiving the report, B first finds the password of A and uses the password to send random data, use the MD5 Algorithm to encrypt and compare the self-calculated encryption results with the encryption results received from A. If they are consistent, A and B can continue to negotiate, otherwise B will cut the line.

CHAP is not only performed in the connection establishment phase, but will also be performed in the subsequent data transmission phase at random intervals. If the results are inconsistent, B will also cut the line.

Because the high security level is inversely proportional to the connection speed, many accesses to the Internet adopt PAP protocol authentication. Generally, after entering the dial-up access server, remote visitors still need to pass the host password check, so security will not be a problem, but the access rate of domestic remote access is low, using PAP can improve some efficiency.

Internal router Authentication

When using a dedicated router, other servers are generally used for security authentication, so installation, use, and maintenance are troublesome. If only a few users use it, or use a dial-up password together in a dedicated software, it would be even worse. In this case, you can use the internal router authentication method. The configuration of the Cisco router is as follows:

Hostname 2509 (vro name)

!

Enable password cisco (vroglobal GLOBAL Status password)

!

Username cisco password 0 cisco (remote user name, password)

!

Interface Ethernet0

Ip address 202.100.99.5 255.255.255.0

No shut

!

Interface Group-Async1

Ip unnumbered Ethernet0

Encapsulation ppp

Async dynamic routing

Async mode interactive (this mode can be switched between the terminal mode and the PPP mode)

Peer default ip address pool default

Ppp authentication pap

Group-range 1 8

!

Ip local pool default 202.100.99.2 202.100.99.254

Ip classless

!

Line con 0

Line 1 8

Autoselect ppp

Login local (local authentication)

Modem InOut

Autocommand ppp

Transport input all

Stopbits 1

Speed115200

Flowcontrol hardware

Line vty 0 4

Password cisco

Login

!

End

This configuration can be used as a dial-up access server for internal communication. It is also a standard Intranet configuration and can be used by various dial-up software such as the dial-up network function of Windows 95, connect to internal servers such as WWW.

Article entry: csh responsible editor: csh

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.