一、基本配置
配置两端接口IP地址及启用PPP封装协议
CPE(config)#interface serial 0/1
CPE(config-if)#ip address 192.168.1.1 255.255.255.0
CPE(config-if)#encapsulation ppp
ISP
端也需要配置成PPP封装协议,否则两端会因封装协议不同,无法正常通信。
ISP(config)#interface serial 0/0
ISP(config-if)#ip address 192.168.1.2 255.255.255.0
ISP(config-if)#encapsulation ppp
两端配置成相同的封装协议后,可以正常通信,只是没有经过认证,无法确认是否合法。而在ISP接入中,为了对客户端进行相应的计费和验证,需要ISP端配置要求验证的模式,PAP或CHAP,需要客户端发送合法的帐户名和密码给ISP进行验证,验证通过后,链路才能正常建立连接。
二、配置PAP认证方式
PAP(Password Authentication Protocol)
即密码认证协议
PAP
采用两次握手协议,首先被认证方将帐号/密码以明文的方式发给主认证方,后由主认证方返回成功与否的信息。由于PAP在链路上采用明文方式传输帐户名和密码,所以不够安全。PAP模式下可实行单向认证或双向认证。
1.
PAP
模式下的单向认证
在ISP端添加CPE端认证需要用到的用户名和密码,保存在路由器的本地数据库,并在接口上启用认证模式为PAP
ISP(config)#username gmcc password 123456
ISP(config)#interface s0/0
ISP(config-if)#ppp authentication pap
在CPE端配置将用户名和密码发送给ISP端进行验证
CPE(config-if)#interface s0/1
CPE(config-if)#ppp pap sent-username gmcc password 123456
实验时可以将少量的用户名和密码可以直接配置在本地路由器上,实际应用中,由于客户数较大,需要配置专门的认证服务器Radius或Tacacs+,进行用户和密码认证管理、授权以及计费等应用。
PAP
的单向认证相应的日志记录
CPE(config-if)#ppp pap sent-username gmcc password 123456
CPE(config-if)#
*Mar 1 00:11:26.059: Se0/1 PPP: No authorization without authentication
*Mar 1 00:11:26.059: Se0/1 PAP: Using hostname from interface PAP
*Mar 1 00:11:26.063: Se0/1 PAP: Using password from interface PAP
*Mar 1 00:11:26.063: Se0/1 PAP: O AUTH-REQ id 1 len 16 from "gmcc"
*Mar 1 00:11:26.299: Se0/1 PAP: I AUTH-ACK id 1 len 5
CPE(config-if)#
*Mar 1 00:11:27.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
CPE(config-if)#
ISP
路由器
*Mar 1 00:11:56.207: Se0/0 PAP: I AUTH-REQ id 1 len 16 from "gmcc"
*Mar 1 00:11:56.207: Se0/0 PAP: Authenticating peer gmcc
*Mar 1 00:11:56.211: Se0/0 PPP: Sent PAP LOGIN Request
*Mar 1 00:11:56.215: Se0/0 PPP: Received LOGIN Response PASS
*Mar 1 00:11:56.219: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar 1 00:11:56.223: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:11:56.227: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:11:56.231: Se0/0 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:11:56.231: Se0/0 PAP: O AUTH-ACK id 1 len 5
*Mar 1 00:11:56.239: Se0/0 PPP: Sent OSICP AUTHOR Request
*Mar 1 00:11:56.247: Se0/0 OSICP: Received AAA AUTHOR Response PASS
*Mar 1 00:11:56.247: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:11:56.279: Se0/0 PPP: Sent IPCP AUTHOR Request
ISP#
*Mar 1 00:11:57.263: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
通过以上日志记录可以发现,在PAP单向认证过程中,CPE端会把用户名和密码一起封装,发送给ISP进行验证。并明文传递用户名“gmcc”,作为认证标识,ISP端根据这个用户名标识在本地数据库查找对应的用户和密码进行验证。
2.
PAP
模式下的双向认证
PAP
双向认证需要在ISP和CPE两端的本地路由器数据库中都保存一份对方的用户名和密码,并在接口上启用认证模式为PAP及发送本端用户名和密码给对方进行验证。
ISP(config)#username CPE password 0 123456
ISP(config)#interface s0/0
ISP(config-if)#ppp authentication pap
ISP(config-if)#ppp pap sent-username ISP password 0 cisco
CPE(config)#username ISP password 0 cisco
CPE(config)#interface s0/1
CPE(config-if)#ppp authentication pap
CPE(config-if)#ppp pap sent-username CPE password 0 123456
PAP
的双向认证相应的日志记录
CPE(config-if)#
*Mar 1 00:18:07.535: Se0/1 PAP: Using hostname from interface PAP
*Mar 1 00:18:07.535: Se0/1 PAP: Using password from interface PAP
*Mar 1 00:18:07.539: Se0/1 PAP: O AUTH-REQ id 2 len 16 from "gmcc"
*Mar 1 00:18:07.539: Se0/1 PAP: I AUTH-REQ id 1 len 12 from "isp"
*Mar 1 00:18:07.539: Se0/1 PAP: Authenticating peer isp
*Mar 1 00:18:07.547: Se0/1 PPP: Sent PAP LOGIN Request
*Mar 1 00:18:07.555: Se0/1 PPP: Received LOGIN Response PASS
*Mar 1 00:18:07.559: Se0/1 PPP: Sent LCP AUTHOR Request
*Mar 1 00:18:07.563: Se0/1 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:18:07.567: Se0/1 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:18:07.571: Se0/1 PAP: O AUTH-ACK id 1 len 5
*Mar 1 00:18:07.823: Se0/1 PAP: I AUTH-ACK id 2 len 5
*Mar 1 00:18:07.827: Se0/1 PPP: Sent OSICP AUTHOR Request
*Mar 1 00:18:07.831: Se0/1 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:18:07.835: Se0/1 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:18:07.847: Se0/1 OSICP: Received AAA AUTHOR Response PASS
*Mar 1 00:18:07.851: Se0/1 CDPCP: Received AAA AUTHOR Response PASS
CPE(config-if)#
*Mar 1 00:18:08.823: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
CPE(config-if)#
ISP
路由器日志记录
ISP(config-if)#
*Mar 1 00:18:37.451: Se0/0 PAP: Using hostname from interface PAP
*Mar 1 00:18:37.455: Se0/0 PAP: Using password from interface PAP
*Mar 1 00:18:37.455: Se0/0 PAP: O AUTH-REQ id 1 len 12 from "isp"
*Mar 1 00:18:37.667: Se0/0 PAP: I AUTH-REQ id 2 len 16 from "gmcc"
*Mar 1 00:18:37.667: Se0/0 PAP: Authenticating peer gmcc
*Mar 1 00:18:37.671: Se0/0 PPP: Sent PAP LOGIN Request
*Mar 1 00:18:37.679: Se0/0 PPP: Received LOGIN Response PASS
*Mar 1 00:18:37.679: Se0/0 PAP: I AUTH-ACK id 1 len 5
*Mar 1 00:18:37.683: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar 1 00:18:37.687: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:18:37.691: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:18:37.695: Se0/0 PAP: O AUTH-ACK id 2 len 5
*Mar 1 00:18:37.699: Se0/0 PPP: Sent OSICP AUTHOR Request
*Mar 1 00:18:37.699: Se0/0 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:18:37.707: Se0/0 OSICP: Received AAA AUTHOR Response PASS
*Mar 1 00:18:37.711: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:18:37.851: Se0/0 PPP: Sent IPCP AUTHOR Request
ISP(config-if)#
*Mar 1 00:18:38.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
ISP(config-if)#
三、配置CHAP认证方式
由于PAP认证模式采用的是以明文传送用户名和密码,安全性不够,所以就产生了安全性较高的CHAP认证技术。
CHAP
采用三次握手,分为以下三个步骤:
1.
当被认证方要同主认证方建立连接时,主认证方发送本地用户名ISP和一个挑战随机数X给被认证方,同时将这个挑战随机数X备份在本地数据库中;
2.
被认证方根据收到的用户名ISP查询自己数据库,调出相应密码Y,将密码Y和随机数X一起放入MD5加密器中加密将得到的hash值Z1和本地用户名CPE一起返回给主认证方;
3.
主认证方根据被认证方发来的用户名CPE找到对应的密码Y,并在自己的备份数据库找出第一步中发给被认证方的挑战随机数X,将挑战随机数X和密码Y一起放入MD5加密器中加密进行计算得到的hash值Z2,与从被认证方接收到的hash值Z1进行对比,如果Z1=Z2则验证成功,不同则认证失败。
在此认证过程中,用户名和挑战随机数X及HASH值Z等仍然是算是明文传送的,但密码Y要求两端必须一致,且并不在认证过程中互相传递,由于MD5算法的复杂性及不可逆性,如果不知道密码Y,是很难根据挑战随机数X算出一个等值的HASH值Z,这就很好的保障了认证的安全性。
1.CHAP
模式下的单向认证
在ISP端添加CPE端的用户名和密码及在接口上启用CHAP认证模式
ISP(config)#username CPE password 0 cisco
ISP(config)#
interface s0/0
ISP(config-if)#ppp authentication chap
ISP(config-if)#ppp chap hostname ISP
(可选)
如不指定用户名,则默认发送路由器名给对方。
在CPE端配置验证过程中使用的用户名和密码
CPE(config-if)#interface s0/1
CPE(config-if)#ppp chap hostname CPE
CPE(config-if)#ppp chap password cisco
以上在CPE端只是指定PPP CHAP认证过程中需要使用的用户名和密码,用户名在认证过程中会传递给对方,密码则不会在认证过程中进行交流。
CHAP
的单向认证相应的日志记录
CPE(config-if)#
*Mar 1 00:10:21.695: Se0/1 PPP: Using default call direction
*Mar 1 00:10:21.695: Se0/1 PPP: Treating connection as a dedicated line
*Mar 1 00:10:21.695: Se0/1 PPP: Session handle[BB 00000C ] Session id[13]
*Mar 1 00:10:21.699: Se0/1 PPP: Authorization required
*Mar 1 00:10:21.883: Se0/1 PPP: No authorization without authentication
*Mar 1 00:10:21.979: Se0/1 CHAP: I CHALLENGE id 12 len 23 from "ISP"
*Mar 1 00:10:21.987: Se0/1 CHAP: Using hostname from interface CHAP
*Mar 1 00:10:21.987: Se0/1 CHAP: Using password from interface CHAP
*Mar 1 00:10:21.987: Se0/1 CHAP: O RESPONSE id 12 len 25 from "gmcc"
*Mar 1 00:10:22.195: Se0/1 CHAP: I SUCCESS id 12 len 4
CPE(config-if)#
*Mar 1 00:10:23.203: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
CPE(config-if)#
从以上日志记录中可以发现,在PPP认证中,优先使用在接口模式下指定的CHAP认证用户名和密码,如果在接口下没有指定PPP认证的用户名和密码,其次使用全局模式下的AAA用户名和密码。同时用户名会在认证过程明文进行传递,密码只是在计算HASH值时会用到,但并不会在认证过程中相互传递。
ISP
路由器的日志记录
ISP#
*Mar 1 00:10:21.791: Se0/0 CHAP: O CHALLENGE id 12 len 23 from "ISP"
*Mar 1 00:10:22.063: Se0/0 CHAP: I RESPONSE id 12 len 25 from "gmcc"
*Mar 1 00:10:22.067: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar 1 00:10:22.071: Se0/0 PPP: Received LOGIN Response PASS
*Mar 1 00:10:22.079: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar 1 00:10:22.079: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:10:22.083: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:10:22.087: Se0/0 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:10:22.087: Se0/0 CHAP: O SUCCESS id 12 len 4
*Mar 1 00:10:22.091: Se0/0 PPP: Sent OSICP AUTHOR Request
*Mar 1 00:10:22.095: Se0/0 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:10:22.099: Se0/0 OSICP: Received AAA AUTHOR Response PASS
*Mar 1 00:10:22.103: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:10:22.355: Se0/0 PPP: Sent IPCP AUTHOR Request
ISP#
2.CHAP
模式下的双向认证
同PAP双向认证一样,CHAP双向认证同样需要在ISP和CPE两端的本地路由器数据库中都保存一份对方的用户名和密码,并在接口上启用认证模式为CHAP及指定发送本端用户名(可选)给对方进行验证,密码则不需要发送给对方,保障了认证的安全性。
ISP(config)#username CPE password 0 cisco
ISP(config)#
interface s0/0
ISP(config-if)#ppp authentication chap
ISP(config-if)#ppp chap hostname ISP
CPE(config)#username ISP password 0 cisco
CPE(config-if)#interface s0/1
CPE(config-if)#ppp authentication chap
CPE(config-if)#ppp chap hostname CPE
CHAP
的双向认证相应的日志记录
CPE(config-if)#no shut
CPE(config-if)#
*Mar 1 00:31:09.243: Se0/1 PPP: Using default call direction
*Mar 1 00:31:09.243: Se0/1 PPP: Treating connection as a dedicated line
*Mar 1 00:31:09.247: Se0/1 PPP: Session handle[F4000025] Session id[39]
*Mar 1 00:31:09.303: Se0/1 CHAP: O CHALLENGE id 10 len 25 from "gmcc"
*Mar 1 00:31:09.459: Se0/1 CHAP: I CHALLENGE id 19 len 24 from "isp"
*Mar 1 00:31:09.467: Se0/1 CHAP: I RESPONSE id 10 len 24 from "isp"
*Mar 1 00:31:09.475: Se0/1 PPP: Sent CHAP LOGIN Request
*Mar 1 00:31:09.475: Se0/1 CHAP: Using hostname from interface CHAP
*Mar 1 00:31:09.475: Se0/1 CHAP: Using password from AAA
*Mar 1 00:31:09.475: Se0/1 CHAP: O RESPONSE id 19 len 25 from "gmcc"
*Mar 1 00:31:09.483: Se0/1 PPP: Received LOGIN Response PASS
*Mar 1 00:31:09.491: Se0/1 PPP: Sent LCP AUTHOR Request
*Mar 1 00:31:09.491: Se0/1 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:31:09.495: Se0/1 CHAP: I SUCCESS id 19 len 4
*Mar 1 00:31:09.499: Se0/1 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:31:09.503: Se0/1 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:31:09.503: Se0/1 CHAP: O SUCCESS id 10 len 4
*Mar 1 00:31:09.511: Se0/1 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:31:09.515: Se0/1 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:31:09.523: Se0/1 CDPCP: Received AAA AUTHOR Response PASS
CPE(config-if)#
*Mar 1 00:31:10.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
ISP
路由器的日志记录
ISP#
*Mar 1 00:31:39.247: Se0/0 PPP: Authorization required
*Mar 1 00:31:39.255: Se0/0 CHAP: O CHALLENGE id 19 len 24 from "isp"
*Mar 1 00:31:39.259: Se0/0 CHAP: I CHALLENGE id 10 len 25 from "gmcc"
*Mar 1 00:31:39.263: Se0/0 CHAP: Using hostname from interface CHAP
*Mar 1 00:31:39.267: Se0/0 CHAP: Using password from AAA
*Mar 1 00:31:39.267: Se0/0 CHAP: O RESPONSE id 10 len 24 from "isp"
*Mar 1 00:31:39.595: Se0/0 CHAP: I RESPONSE id 19 len 25 from "gmcc"
*Mar 1 00:31:39.599: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar 1 00:31:39.603: Se0/0 PPP: Received LOGIN Response PASS
*Mar 1 00:31:39.607: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar 1 00:31:39.611: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:31:39.615: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:31:39.615: Se0/0 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:31:39.619: Se0/0 CHAP: O SUCCESS id 19 len 4
*Mar 1 00:31:39.715: Se0/0 CHAP: I SUCCESS id 10 len 4
*Mar 1 00:31:39.719: Se0/0 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:31:39.727: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:31:39.755: Se0/0 PPP: Sent IPCP AUTHOR Request
ISP#
四、配置IP地址协商,ISP端服务器为CPE动态分配一个IP,网络终止时IP收回,以节约公网IP(如ADSL)
ISP
端配置
在ISP端配置为CPE端分配一个IP地址
ISP(config-if)#peer default ip address 202.96.129.102
ISP(config-if)#peer default ip address dhcp-pool
CPE
端配置
配置CPE端IP地址由ISP端分配
CPE(config-if)#ip address negotiated
四、配置PPP压缩
配置压缩模式,stac消耗CPU资源,predictor消耗内存资源
ISP(config-if)#compress stac | predictor
配置TCP头压缩,对TCP头压缩只适用于低速链路上,在高速链路上(如E1)不建议使用,以免造成路由器负载加重
ISP(config-if)#ip tcp header-compression
配置PPP压缩需在PPP链路两端都配置,否则链路无法正常工作