实验拓扑:

【CCNA】思科PPP身份验证(PAP单向认证与CHAP单向认证)_第1张图片

很简单的拓扑,R2模拟身份验证服务器,R1模拟被认证者。

实验目的:通过PAP验证和CHAP验证,使R1连通R2。

实验步骤:

首先配好R1,R2的IP地址。

R1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#int s1/0

R1(config-if)#ip add 1.1.1.1 255.255.255.0

R1(config-if)#no sh


R2#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#int s1/0

R2(config-if)#ip add 1.1.1.2 255.255.255.0

R2(config-if)#no sh


由于此时R1,R2在同一网段,是可以互相ping通的。

思科的设备默认的封装是HDLC,我们可以查看一下,


R2#show int s1/0

Serial1/0 is up, line protocol is up 

  Hardware is M4T

  Internet address is 1.1.1.2/24

  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, 

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation HDLC, crc 16, loopback not set

  Keepalive set (10 sec)

  Restart-Delay is 0 secs

  CRC checking enabled

.......


要完成PPP身份验证,首先要将封装转换为PPP

R1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#int s1/0

R1(config-if)#encapsulation ?  

  frame-relay  Frame Relay networks

  hdlc         Serial HDLC synchronous

  lapb         LAPB (X.25 Level 2)

  ppp          Point-to-Point protocol

  smds         Switched Megabit Data Service (SMDS)

  x25          X.25


R1(config-if)#encapsulation ppp

R1(config-if)#

*Mar  1 00:12:25.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down

首先将R1的封装改成PPP,此时,R1与R2的接口封装不一致,所以接口down了。


R2#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#int s1/0

R2(config-if)#encapsulation ppp

R2(config-if)#

*Mar  1 00:14:09.427: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

将R2的封装也改成PPP后,接口又自动UP了。


下面,设置PAP认证

R2(config)#username R1 password benet

R2(config)#ppp

R2(config)#int s1/0

R2(config-if)#ppp authentication  pap

R2(config-if)#

*Mar  1 00:18:00.255: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down

设置账号为R1 ,密码为benet,此时,端口又down了。


用R1登录

R1(config)#int s1/0     

R1(config-if)#ppp pap sent-username R1 password benet

R1(config-if)#

*Mar  1 00:20:27.763: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

R1(config-if)#end

*Mar  1 00:20:35.475: %SYS-5-CONFIG_I: Configured from console by console

测试

R1#p 1.1.1.2


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/32 ms

通过验证,连通。


改为用chap单向验证

R2(config-if)#no ppp authentication  pap

R2(config-if)#sh       

R2(config-if)#

*Mar  1 00:23:09.011: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down

*Mar  1 00:23:10.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down

R2(config-if)#username R1 password benet

R2(config)#int s1/0

R2(config-if)#ppp authentication chap

R2(config-if)#no sh


用R1登录

R1(config-if)#no ppp pap sent-username R1 password benet

R1(config-if)#shut

R1(config-if)#

*Mar  1 00:33:38.775: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down

*Mar  1 00:33:39.775: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down

R1(config-if)#ppp chap hostname R1

R1(config-if)#ppp chap password benet

R1(config-if)#no sh

R1(config-if)#end

*Mar  1 00:34:12.643: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up

R1(config-if)#end

R1#

*Mar  1 00:34:13.735: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

*Mar  1 00:34:14.575: %SYS-5-CONFIG_I: Configured from console by console


连通测试

R1#p 1.1.1.2


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/48 ms

通过身份验证。