PPP中的pap和chap认证
R1接收到这个包后,将挑战包的用户名(R2),随机数,ID和本地数据库的密码gairuhe进行计算,得出MD5的值,然后发送给R2
这个回应的分组包括:02(回应标识符)+ID(和R2的一样)+hash(MD5的计算值)+自己的用户名(R1)
R2收到后,通过ID找到它发送的挑战包,然后把ID,随机数,以及密码(通过本地数据库查找R1对应的密码)进行计算,得出MD5的值
然后验证
下文出自http://blog.sina.com.cn/s/blog_54ad56770100j7hi.html
PPP Chap authentication
实验目的:R16与R15不能建立eigrp nei,检查PPP CHAP
正确配置如下。注意其中蓝色、红色、绿色部分,分别是互相对应的关系。这些参数ppp chap peer必须match,才能认证通过。
R15:
username CCIE password 0 cisco123
!
interface Serial1/0
ip address 172.14.156.15 255.255.255.0
ip authentication mode eigrp 200 md5
ip authentication key-chain eigrp 200 cisco
encapsulation ppp
serial restart-delay 0
ppp authentication chap cisco
ppp chap hostname cisco
ppp chap password 0 cisco123
------------------------------------
R16:
username cisco password 0 cisco123
!
interface Serial1/0
ip address 172.14.156.16 255.255.255.0
ip authentication mode eigrp 200 md5
ip authentication key-chain eigrp 200 cisco
encapsulation ppp
serial restart-delay 0
ppp authentication chap
ppp chap hostname CCIE
ppp chap password 0 cisco123
接下来,修改以上所说的关键参数,看其对ppp chap authentication有何影响!!!
第一步:修改接口下的password
----------------------------------------------------
如果修改接口下的password,修改成CCIEtest
R16(config)#int s1/0
R16(config-if)#ppp chap password 0 CCIEtest
R16(config-if)#do sh run int s1/0
interface Serial1/0
ip address 172.14.156.16 255.255.255.0
ip authentication mode eigrp 200 md5
ip authentication key-chain eigrp 200 cisco
encapsulation ppp
serial restart-delay 0
ppp authentication chap
ppp chap hostname CCIE
ppp chap password 0 CCIEtest ///从cisco123改变为CCIEtest
进行验证
R16(config-if)#shut
R16(config-if)#no shut
Mar 1 01:06:04.915: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 172.14.156.15 (Serial1/0) is down: interface down
R16(config-if)#
Mar 1 01:06:08.847: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 172.14.156.15 (Serial1/0) is up: new adjacency
发现仍然可以建立邻接关系,可见修改接口下的password不影响PPP chap authenticaiton,这是为什么呢?先带着这个问题,继续往下看。
第二步:修改全局下的password
这时候,如果将R16的password修改成cisco1
R16(config)#username cisco password 0 cisco1 ///将cisco123修改成cisco1
发现R15和R16认证失败
R16(config-if)#
Mar 1 01:15:57.131: Se1/0 PPP: Authorization required
Mar 1 01:15:57.371: Se1/0 CHAP: O CHALLENGE id 195 len 25 from "CCIE"
Mar 1 01:15:57.435: Se1/0 CHAP: I CHALLENGE id 194 len 26 from "cisco"
Mar 1 01:15:57.439: Se1/0 CHAP: Using hostname from interface CHAP
Mar 1 01:15:57.439: Se1/0 CHAP: Using password from AAA
Mar 1 01:15:57.443: Se1/0 CHAP: O RESPONSE id 194 len 25 from "CCIE"
Mar 1 01:15:57.471: Se1/0 CHAP: I RESPONSE id 195 len 26 from "cisco"
Mar 1 01:15:57.475: Se1/0 PPP: Sent CHAP LOGIN Request
Mar 1 01:15:57.483: Se1/0 PPP: Received LOGIN Response FAIL
Mar 1 01:15:57.487: Se1/0 CHAP: O FAILURE id 195 len 25 msg is "Authentication failed"
从上面debug ppp auth可以看到,PPP CHAP认证用户名用的的是接口下,而密码却是全局下的password。这也就回答了刚才的问题,为什么在interface下修改password不影响chap认证,因为压根就和他没关系。
把R15全局下的password也改成cisco1,认证通过,连接建立
R15(config)#username CCIE password 0 cisco1
R15(config)#
*Mar 1 01:21:28.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
*Mar 1 01:21:28.671: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 172.14.156.16 (Serial1/0) is up: new adjacency
得出结论:R15和R16全局下的password必须一样,要么都是cisco123,要么都是cisco1,总之要一样。也就是最开始说的蓝色、绿色、红色,这3处参数必须一一对应。
原理:R15和R16都将自己接口下配置的username和全局下配置的password 发起对ppp chap peer的challenge,然后互相交换,互相认证。
追加验证:是不是真的和interface下的password没关系
R16(config-if)#ppp chap password 0 suixinsuoyu ///把密码配成“随心所欲”
R16(config-if)#shut
Mar 1 01:56:45.231: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 172.14.156.15 (Serial1/0) is down: interface down
R16(config-if)#no shut
Mar 1 01:56:54.279: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
Mar 1 01:56:55.391: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 172.14.156.15 (Serial1/0) is down: Interface Goodbye received
Mar 1 01:56:55.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
Mar 1 01:56:58.599: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 172.14.156.15 (Serial1/0) is up: new adjacency ///果然不影响,没冤枉它,的确和它没关系
R15(config-if)#ppp chap password 0 luanqibazao ///把密码配成“乱七八糟”
R15(config-if)#shut
R15(config-if)#
*Mar 1 01:56:26.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 172.14.156.16 (Serial1/0) is down: interface down
R15(config-if)#no shut
*Mar 1 01:56:28.035: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
*Mar 1 01:56:29.035: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
R15(config-if)#no shut
R15(config-if)#
*Mar 1 01:56:32.083: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
R15(config-if)#
*Mar 1 01:56:33.479: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 172.14.156.16 (Serial1/0) is up: new adjacency ///果然还是能建立邻居,没冤枉它,的确和它没关系