实训视频
扩展项目 配置思科PPP认证
一、PAP 认证
PPP(Point to Point Protocol)数据链路层协议。两种认证方式:一种是PAP,一种是CHAP。相对来说PAP的认证方式安全性没有CHAP高。PAP在传输password是明文的,而CHAP在传输过程中不传输密码,PAP认证是通过两次握手实现的,而CHAP则是通过3次握手实现的。
1.项目配置拓扑图
2.项目步骤
1在R1 和R2 路由器上配置IP 地址、保证直连链路的连通性。
R1(config)#int s0/1/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R2(config)#int s0/1/0
R2(config-if)#clock rate 64000
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#no shutdown2配置路由器R1(远程路由器,被认证方)在路由器。
R2(中心路由器,认证方)取得验证:
R1(config)#int s0/1/0
R1(config-if)#encapsulation pppR1(config-if)#ppp pap sent-username R1 password 123456R2(config)#int s0/1/0
R2(config-if)#encapsulation pppR2(config-if)#ppp authentication papR2(config)#username R1 password 123456以上的步骤只是配置了R1(远程路由器)在R2(中心路由器)取得验证,即单向验证。
然而在实际应用中通常是采用双向验证,即:R2 要验证R1,而R1 也要验证R2。我们要采用类似的步骤进行配置R1 对R2 进行验证,这时R1 为中心路由器,R2 为远程路由器了:
R1(config-if)#ppp authentication papR1(config)#username R2 password 654321R2(config-if)#ppp pap sent-username R2 password 654321提示
3.项目调试
使用“debug ppp authentication”命令可以查看ppp 认证过程。
R1#debug ppp authentication !打开ppp 认证调试
PPP authentication debugging is on
R1(config)#int s0/1/0
R1(config-if)#shutdown
R1(config-if)#no shutdown
//由于PAP 认证是在链路建立后进行一次,把接口关闭重新打开以便观察认证过程*Feb 22 12:18:20.355: %LINK-3-UPDOWN: Interface Serial0/1/0, changed state to up
*Feb 22 12:18:20.355: Se0/1/0 PPP: Using default call direction
*Feb 22 12:18:20.355: Se0/1/0 PPP: Treating connection as a dedicated line
*Feb 22 12:18:20.355: Se0/1/0 PPP: Session handle[C0000006] Session id[15]
*Feb 22 12:18:20.355: Se0/1/0 PPP: Authorization required
*Feb 22 12:18:20.359: Se0/1/0 PAP: Using hostname from interface PAP
*Feb 22 12:18:20.359: Se0/1/0 PAP: Using password from interface PAP
*Feb 22 12:18:20.359: Se0/1/0 PAP: O AUTH-REQ id 13 len 14 from "R1"
*Feb 22 12:18:20.363: Se0/1/0 PAP: I AUTH-REQ id 2 len 14 from "R2"
*Feb 22 12:18:20.363: Se0/1/0 PAP: Authenticating peer R2
*Feb 22 12:18:20.363: Se0/1/0 PPP: Sent PAP LOGIN Request
*Feb 22 12:18:20.363: Se0/1/0 PPP: Received LOGIN Response PASS
*Feb 22 12:18:20.363: Se0/1/0 PPP: Sent LCP AUTHOR Request
*Feb 22 12:18:20.363: Se0/1/0 PPP: Sent IPCP AUTHOR Request
*Feb 22 12:18:20.363: Se0/1/0 LCP: Received AAA AUTHOR Response PASS
*Feb 22 12:18:20.363: Se0/1/0 IPCP: Received AAA AUTHOR Response PASS
*Feb 22 12:18:20.363: Se0/1/0 PAP: O AUTH-ACK id 2 len 5
*Feb 22 12:18:20.363: Se0/1/0 PAP: I AUTH-ACK id 13 len 5
*Feb 22 12:18:20.363: Se0/1/0 PPP: Sent CDPCP AUTHOR Request
*Feb 22 12:18:20.363: Se0/1/0 CDPCP: Received AAA AUTHOR Response PASS
*Feb 22 12:18:20.367: Se0/1/0 PPP: Sent IPCP AUTHOR Request
*Feb 22 12:18:21.363: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/0, changed state
to up
//以上是认证成功的例子*Feb 22 12:22:07.391: Se0/1/0 PPP: Authorization required
*Feb 22 12:22:09.411: Se0/1/0 PAP: Using hostname from interface PAP
*Feb 22 12:22:09.411: Se0/1/0 PAP: Using password from interface PAP
*Feb 22 12:22:09.411: Se0/1/0 PAP: O AUTH-REQ id 15 len 14 from "R1"
*Feb 22 12:22:09.411: Se0/1/0 PAP: I AUTH-REQ id 4 len 14 from "R2"
*Feb 22 12:22:09.411: Se0/1/0 PAP: Authenticating peer R2
*Feb 22 12:22:09.411: Se0/1/0 PPP: Sent PAP LOGIN Request
*Feb 22 12:22:09.415: Se0/1/0 PPP: Received LOGIN Response FAIL
*Feb 22 12:22:09.415: Se0/1/0 PAP: O AUTH-NAK id 4 len 26 msg is "Authentication failed"
//以上是认证失败的例子,例如密码错误等二、CHAP 认证
项目环境和拓扑同上。
1.使用“username 用户名 password 密码”命令为对方配置用户名和密码,需要注意的是两方的密码要相同
R1(config)#username R2 password hello
R2(config)#username R1 password hello2.路由器的两端串口采用PPP封装,并采用配置CHAP验证
R1(config)#int s0/1/0
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication chap
R2(config)#int s0/1/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp authentication chap
