0
上传不了附件,直接把内容贴出来看行不行~~~
【ITAA实验室原创文档】PPP之认证
实验目标:理解和掌握PPP的认证方式及其配置
实验TOP:
file:///C:/DOCUME~1/itaa05/LOCALS~1/Temp/1/msohtmlclip1/01/clip_image002.gif
基本配置
R1
file:///C:/DOCUME~1/itaa05/LOCALS~1/Temp/1/msohtmlclip1/01/clip_image004.gif
R2
批注:路由器接口默认是关闭的,所以应将对应的接口开启
如上配置,已经将基本的地址信息配置完成,下面对路由器端口封装PPP
首先,我们先看一下现在路由器端口下封装的协议
R1#show interfaces s1/0
Serial1/0 is up, line protocol is up
Hardware is M4T
Internet address is 12.1.1.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC,crc 16, loopback not set
Keepalive set (10 sec)
Restart-Delay is 0 secs
Last input 00:00:02, output 00:00:01, output hang never
Last clearing of "show interface" counters 00:05:08
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
28 packets input, 2639 bytes, 0 no buffer
Received 28 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
31 packets output, 2711 bytes, 0 underruns
0 output errors, 0 collisions, 4 interface resets
0 output buffer failures, 0 output buffers swapped out
4 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up
这里可以看到端口封装的是HDLC协议
…………………………………………我是无敌分割线…………………………………………
先对HDLC做个简单的介绍:
HDLC(High-Level Data Link Control)高级数据链路控制,是一个在同步网上传输数据,,面向比特的数据链路层协议。在点到点串行线路上(同步电路)使用帧封装格式,将数据控制信息等以帧为单位在链路上传送。具有可靠性高,防止漏收或重份,较大的灵活性和控制功能等特点。目前网络设计普遍使用HDLC作为数据链路管制协议。
但HDLC 不能提供验证,缺少了对链路的安全保护。所以我们需要使用到PPP
再对PPP做个简单的介绍:
PPP(Point to Poiint Protocol)点对点协议,在点对点连接上传输多协议数据包的一种面向字节的封装协议,和HDLC一样,PPP 也是串行线路上(同步电路或者异步电路)的一种帧封装格式。具有处理错误检测,支持多个网络层协议,身份认证等功能。
…………………………………………我是无敌分割线…………………………………………
Go on
为R1的S1/0接口封装PPP:
R1(config)#int s1/0
R1(config-if)#encapsulation ppp
为R2的S2/0接口封装PPP:
R2(config)#int s2/0
R2(config-if)#encapsulation ppp
查看R1的S1/0接口信息
R1#show interfaces s1/0
Serial1/0 is up, line protocol is up
Hardware is M4T
Internet address is 12.1.1.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: CDPCP, IPCP, crc 16, loopback not set
Keepalive set (10 sec)
Restart-Delay is 0 secs
……………………其余暂且无视之…………………
可以看到接口已经开启PPP协议,LCP也处于Open状态
查看R2的S2/0的接口信息
R2#show interfaces s2/0
Serial2/0 is up, line protocol is up
Hardware is M4T
Internet address is 12.1.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: CDPCP, IPCP, crc 16, loopback not set
Keepalive set (10 sec)
Restart-Delay is 0 secs
……………………其余暂且无视之…………………
R2的接口也已经开启了PPP协议
此时查看R1的路由表
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 12.1.1.0/24 is directly connected, Serial1/0
C 12.1.1.2/32 is directly connected, Serial1/0
此时发现R1的路由表里,装了一条主机路由,此地址还是R2的S2/0接口的IP 地址。
传说这是历史遗留问题(--!)。
不过,要记住,存在就是合理的。
这个特性还是可以小小的了解一下,在后面的扩展中详细介绍。
这里可以使用no peer neighbor-route 命令来干掉这个主机路由
R1(config)#int s1/0
R1(config-if)#no peer neighbor-route
R1(config-if)#end
R1#clear ip route *
在R2上也使用这条命令干掉主机路由
R2(config)#int s2/0
R2(config-if)#no peer neighbor-route
R2(config-if)#end
R2#clear ip route *
不要忘记了,还要清理路由表。
查看R1的路由表
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
12.0.0.0/24 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Serial1/0
查看R2的路由表
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback0
12.0.0.0/24 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Serial2/0
此时32位的主机路由已经消失的无影无踪~
…………………………………………我是无敌分割线…………………………………………
现在开始学习PPP 认证:
首先来了解下PAP——密码验证协议
PAP(Password Authentication Protocol)利用2 次握手的简单方法进行认证。在
PPP 链路建立完毕后,源节点不停地在链路上反复发送用户名和密码,直到验证通过
接着再通过这张图,来了解PAP认证的大致过程
file:///C:/DOCUME~1/itaa05/LOCALS~1/Temp/1/msohtmlclip1/01/clip_image006.gif
PAP 的单向认证
设计R1为服务器,R2为客户端
(一)配置
在R1上启用PAP认证,并建立本地口令数据库
R1(config)#int s1/0
R1(config-if)#ppp authentication pap
R1(config-if)#exit
R1(config)#username happy password apple
在R2上只需配置要发送的用户名和密码即可
R2(config)#int s2/0
R2(config-if)#ppp pap sent-username happy password apple
注意:在做认证时,一定要仔细检查,不可因为误操作在密码后面多加了一个空格(空格也会成为密码的一部分),导致密码不匹配。
(二)验证
(1)先关闭R1的S1/0接口
R1(config)#int s1/0
R1(config-if)#shutdown
(2)查看R1的路由表
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
直连R2的路由信息因为接口down掉已经消失
(3)打开R1的debug信息
R1#debug ppp authentication
(4)再次开启R1的S1/0接口
R1(config)#int s1/0
R1(config-if)#no shutdown
R1显示的信息如下
*Jul 19 09:58:52.611: Se1/0 PPP: Authorization required
*Jul 19 09:58:52.643: Se1/0 PAP: I AUTH-REQ id 5 len 13 from "R2"
*Jul 19 09:58:52.643: Se1/0 PAP: Authenticating peer R2
*Jul 19 09:58:52.643: Se1/0 PPP: Sent PAP LOGIN Request
*Jul 19 09:58:52.643: Se1/0 PPP: Received LOGIN Response PASS
*Jul 19 09:58:52.643: Se1/0 PPP: Sent LCP AUTHOR Request
*Jul 19 09:58:52.643: Se1/0 PPP: Sent IPCP AUTHOR Request
*Jul 19 09:58:52.643: Se1/0 LCP: Received AAA AUTHOR Response PASS
*Jul 19 09:58:52.643: Se1/0 IPCP: Received AAA AUTHOR Response PASS
*Jul 19 09:58:52.643: Se1/0 PAP: O AUTH-ACK id 5 len 5
*Jul 19 09:58:52.643: Se1/0 PPP: Sent CDPCP AUTHOR Request
*Jul 19 09:58:52.643: Se1/0 CDPCP: Received AAA AUTHOR Response PASS
*Jul 19 09:58:52.651: Se1/0 PPP: Sent IPCP AUTHOR Request
*Jul 19 09:58:53.659: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
备注:deubg信息中可以看到O 和I 的字样。O 后面表示向外发出的信息。I 后面表示收到的信息。
R1和R2的PAP认证成功
查看R1的路由表
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
12.0.0.0/24 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Serial1/0
路由表中也有对方路由。认证成功,通信链路建立
PAP的双向认证
file:///C:/DOCUME~1/itaa05/LOCALS~1/Temp/1/msohtmlclip1/01/clip_image008.jpg
此时,在R1和R2上做双向的PAP认证
在R1上启用PAP认证,并配置R2认证R1时使用的用户名:happy 密码:apple
并配置R1认证R2时使用的数据库中的用户名:light 密码:quiet
R1(config)#int s1/0
R1(config-if)#ppp authentication pap
R1(config-if)#ppp pap sent-username happy password apple
R1(config-if)#exit
R1(config)#username light password quiet
在R2上启用PAP认证,并配置登录R1时使用的用户名:light 密码:quiet
并配置R2认证R1时使用的数据库中的用户名:happy 密码:apple
R2(config)#int s2/0
R2(config-if)#ppp authentication pap
R2(config-if)#ppp pap sent-username light password quiet
R2(config-if)#exit
R2(config)#username happy password apple
此时,验证PPP认证的过程
(1)先关闭R1的S1/0接口
R1(config)#int s1/0
R1(config-if)#shutdown
(2)查看R1的路由表
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
直连R2的路由信息因为接口down掉已经消失
(3)打开R1的debug信息
R1#debug ppp authentication
(4)再次开启R1的S1/0接口
R1(config)#int s1/0
R1(config-if)#no shutdown
此时,会显示PPP认证的信息
*May 27 16:13:00.746: %SYS-5-CONFIG_I: Configured from console by console
*May 27 16:13:01.666: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*May 27 16:13:01.666: Se1/0 PPP: Using default call direction
*May 27 16:13:01.666: Se1/0 PPP: Treating connection as a dedicated line
*May 27 16:13:01.666: Se1/0 PPP: Session handle[86000041] Session id[97]
*May 27 16:13:01.666: Se1/0 PPP: Authorization required
*May 27 16:13:01.686: Se1/0 PAP: Using hostname from interface PAP
*May 27 16:13:01.686: Se1/0 PAP: Using password from interface PAP
*May 27 16:13:01.686: Se1/0 PAP: O AUTH-REQ id 37 len 16 from "happy"
*May 27 16:13:01.698: Se1/0 PAP: I AUTH-REQ id 23 len 16 from "light"
*May 27 16:13:01.698: Se1/0 PAP: Authenticating peer light
*May 27 16:13:01.698: Se1/0 PPP: Sent PAP LOGIN Request
*May 27 16:13:01.698: Se1/0 PPP: Received LOGIN Response PASS
*May 27 16:13:01.698: Se1/0 PPP: Sent LCP AUTHOR Request
*May 27 16:13:01.698: Se1/0 PPP: Sent IPCP AUTHOR Request
*May 27 16:13:01.698: Se1/0 LCP: Received AAA AUTHOR Response PASS
*May 27 16:13:01.698: Se1/0 IPCP: Received AAA AUTHOR Response PASS
*May 27 16:13:01.698: Se1/0 PAP: O AUTH-ACK id 23 len 5
*May 27 16:13:01.706: Se1/0 PAP: I AUTH-ACK id 37 len 5
*May 27 16:13:01.706: Se1/0 PPP: Sent CDPCP AUTHOR Request
*May 27 16:13:01.706: Se1/0 PPP: Sent IPCP AUTHOR Request
*May 27 16:13:01.706: Se1/0 CDPCP: Received AAA AUTHOR Response PASS
*May 27 16:13:02.718: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
备注:deubg信息中可以看到O 和I 的字样。O 表示向外发出的信息。I 表示收到的信息。
此时认证正确,PPP协商完成,链路正常启动
(5)在查看R1的路由表
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
12.0.0.0/24 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Serial1/0
R1与R2的链路恢复正常。
如果用户名密码不匹配,则会出现什么情况呢?
(1)将R1发送的用户名改为apple,密码改为happy
R1(config)#int s1/0
R1(config-if)#ppp pap sent-username apple password happy
(2)先关闭R1的S1/0接口
R1(config)#int s1/0
R1(config-if)#shutdown
(3)打开R1的debug信息
R1#debug ppp authentication
(4)再次开启R1的S1/0接口
R1(config)#int s1/0
R1(config-if)#no shutdown
此时显示的PPP认证信息
*May 27 16:26:56.638: Se1/0 PPP: Authorization required
*May 27 16:26:56.646: Se1/0 PAP: Using hostname from interface PAP
*May 27 16:26:56.646: Se1/0 PAP: Using password from interface PAP
*May 27 16:26:56.646: Se1/0 PAP: O AUTH-REQ id 41 len 16 from "apple"
*May 27 16:26:56.658: Se1/0 PAP: I AUTH-REQ id 27 len 16 from "light"
*May 27 16:26:56.658: Se1/0 PAP: Authenticating peer light
*May 27 16:26:56.658: Se1/0 PPP: Sent PAP LOGIN Request
*May 27 16:26:56.658: Se1/0 PPP: Received LOGIN Response PASS
*May 27 16:26:56.658: Se1/0 PPP: Sent LCP AUTHOR Request
*May 27 16:26:56.658: Se1/0 PPP: Sent IPCP AUTHOR Request
*May 27 16:26:56.658: Se1/0 LCP: Received AAA AUTHOR Response PASS
*May 27 16:26:56.658: Se1/0 IPCP: Received AAA AUTHOR Response PASS
*May 27 16:26:56.658: Se1/0 PAP: O AUTH-ACK id 27 len 5
*May 27 16:26:56.666: Se1/0 PAP: I AUTH-NAK id 41 len 26 msg is "Authentication failed"
R1收到认证失败的信息,则两台路由器的协商过程就会一直卡在认证失败的状态中
查看R1的路由表
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
这里R1没有了与R2的直连路由信息,因为认证失败所致。
【提示】在ISDN 拨号上网时,通常只是电信对用户进行验证(要根据用户名来收费),用户不需要对电信进行验证,即验证是单向的。
PAP的特点:
1.PAP认证进程只在双方的通信链路建立初期进行。如果认证成功,在通信过程中不再进行认证。如果认证失败,则直接释放链路。
2.PAP因为认证只在链路建立初期进行,节省了宝贵的链路带宽。 缺点是用户的用户名和密码是明文发送的,有可能被协议分析软件捕获而导致安全问题。
…………………………………………我是无敌分割线…………………………………………
接着我们学习CHAP——挑战握手验证协议
CHAP(Challenge Handshake Authentication Protocol)利用3次握手周期地验证源端节点的身份。CHAP验证过程在链路建立之后进行,而且在以后的任何时候都可以再次进行。这使得链路更为安全。CHAP每次使用不同的询问消息,每个消息都是不可预测的唯一的值,CHAP 不直接传送密码,只传送一个不可预测的询问消息,以及该询问消息与密码经过MD5加密运算后的加密值。所以CHAP可以防止再生攻击,CHAP的安全性比PAP要高。
认证过程大致如下图:
file:///C:/DOCUME~1/itaa05/LOCALS~1/Temp/1/msohtmlclip1/01/clip_image010.gif
Chap的单向认证
假设R1为被认证方,R2为认证方
首先在R1上认证时的用户名和密码
R1(config-if)#ppp chap hostname happy
R1(config-if)#ppp chap password apple
……………………………………………我是无敌分割线………………………………………
这里需要注意下:
1.作为被认证方,不需要配置ppp authentication chap这个命令
2.PPP chap password apple 命令为接口设置默认密码。还可以单独使用username R2 password apple 这个命令建立本地口令数据库,用于确认R2的信息。则两条命令也可同时使用。
3.在此认证过程中,R1需要相应的密码算出hash值以做回应。首先查找数据库中的用户名和密码,如果查找不到相应的用户名,才会使用接口下的密码参与认证。
4.只有被认证方才会使用这种机制。主认证方只查找数据库。
…………………………………………我是无敌分割线…………………………………………
接着在R2上配置chap认证,并建立本地口令数据库
R2(config-if)#ppp authentication chap callout
R2(config-if)#exit
R2(config)#username happy password apple
注意:使用ppp authentication chapcallout来定义R2为认证方,
查看R1的路由表
R1(config-if)#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
12.0.0.0/24 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Serial1/0
认证正确,链路成功建立。
接着,看下认证失败的情况
(1)修改R2的数据库
R2(config)#username apple password happy
(2)先关闭R1的S1/0接口
R1(config)#int s1/0
R1(config-if)#shutdown
(3)打开R1的debug信息
R1#debug ppp authentication
(4)再次开启R1的S1/0接口
R1(config)#int s1/0
R1(config-if)#no shutdown
查看R1的debug信息:
*Jul 15 13:37:53.595: Se1/0 PPP: Authorization required
*Jul 15 13:37:53.615: Se1/0 PPP: No authorization without authentication
*Jul 15 13:37:53.615: Se1/0 CHAP: I CHALLENGE id 10 len 23 from "R2"
*Jul 15 13:37:53.615: Se1/0 CHAP: Using hostname from interface CHAP
*Jul 15 13:37:53.615: Se1/0 CHAP: Using password from interface CHAP
*Jul 15 13:37:53.615: Se1/0 CHAP: O RESPONSE id 10 len 26 from "happy"
*Jul 15 13:37:53.635: Se1/0 CHAP: I FAILURE id 10 len 25 msg is "Authentication failed"
由于R2的数据库中没有关于用户名happy的密码,所以认证失败
Chap的双向认证
首先,在R1上启用CHAP认证,并建立本地口令数据库
R1(config-if)#ppp authentication chap
R1(config-if)#exit
R1(config)#username R2 password happy
接着,在R2上启用CHAP认证,并建立本地口令数据库
R2(config-if)#ppp authentication chap
R2(config-if)#exit
R2(config)#username R1 password happy
注意:此时数据库设置的username为对方的路由器的用户名。路由器默认以自己的名称为用户名向对端发送。可以使用ppp chap hostname XXX这个命令来更改发送的用户名。
此时查看R1路由表
R1(config-if)#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
12.0.0.0/24 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Serial1/0
认证正确,链路成功建立。
【提示】 CHAP对端系统要求很高,因为需要多次进行身份质询、响应。这需要耗费较多的CPU资源,因此只用在对安全要求很高的场合。
…………………………………………我是无敌分割线…………………………………………
PAP和CHAP的同时使用
通信认证双方选择的认证方法有时可能不一样,如一方选择PAP,另一方选择CHAP,这时双方的认证协商将失败。为了避免身份认证协议过程中出现这样的失败,可以配置路由器使用两种认证方法。
使用命令:ppp authentication chap pap 或者 ppp authentication pap chap
(一)配置
首先在R1上设置
R1(config-if)#ppp authentication pap chap
R1(config-if)#ppp pap sent-username happy password apple
R1(config-if)#exit
R1(config)#username R2 password quiet
R1(config)#username light password night
说明:username R2 password quiet 用于验证chap的数据库信息
username light assword night 用于验证pap的数据库信息
在R2上配置
R2(config-if)#ppp authentication pap
R2(config-if)#ppp pap sent-username light password night
R2(config-if)#exit
R2(config)#username R1 password quiet
R2(config)#username happy password apple
说明:username R1 password quiet 用于验证chap的数据库信息
username happy assword apple 用于验证pap的数据库信息
(二)关闭R1的s1/0接口
R1(config)#int s1/0
R1(config-if)#shutdown
(三)开启debug信息
R1#debug ppp authentication
(四)开启R1的s1/0接口
R1(config)#int s1/0
R1(config-if)#no shutdown
此时R1和R2 开始认证debug信息如下:
*Jul 21 03:23:06.631: Se1/0 PPP: Using default call direction
*Jul 21 03:23:06.631: Se1/0 PPP: Treating connection as a dedicated line
*Jul 21 03:23:06.631: Se1/0 PPP: Session handle[67000040] Session id[92]
*Jul 21 03:23:06.631: Se1/0 PPP: Authorization required
*Jul 21 03:23:06.651: Se1/0 PAP: Using hostname from interface PAP
*Jul 21 03:23:06.651: Se1/0 PAP: Using password from interface PAP
*Jul 21 03:23:06.651: Se1/0 PAP: O AUTH-REQ id 71 len 16 from "happy"
*Jul 21 03:23:06.663: Se1/0 PAP: I AUTH-REQ id 62 len 16 from "light"
*Jul 21 03:23:06.663: Se1/0 PAP: Authenticating peer light
*Jul 21 03:23:06.663: Se1/0 PPP: Sent PAP LOGIN Request
*Jul 21 03:23:06.663: Se1/0 PPP: Received LOGIN Response PASS
*Jul 21 03:23:06.663: Se1/0 PPP: Sent LCP AUTHOR Request
*Jul 21 03:23:06.663: Se1/0 PPP: Sent IPCP AUTHOR Request
*Jul 21 03:23:06.663: Se1/0 LCP: Received AAA AUTHOR Response PASS
*Jul 21 03:23:06.663: Se1/0 IPCP: Received AAA AUTHOR Response PASS
*Jul 21 03:23:06.663: Se1/0 PAP: O AUTH-ACK id 62 len 5
*Jul 21 03:23:06.675: Se1/0 PAP: I AUTH-ACK id 71 len 5
*Jul 21 03:23:06.675: Se1/0 PPP: Sent CDPCP AUTHOR Request
*Jul 21 03:23:06.675: Se1/0 PPP: Sent IPCP AUTHOR Request
*Jul 21 03:23:06.675: Se1/0 CDPCP: Received AAA AUTHOR Response PASS
*Jul 21 03:23:07.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
由debug信息可知,R1和R2使用的是PAP认证
我们将R2设置chap,并删除PAP认证
R2(config)#int s2/0
R2(config-if)#ppp authentication chap
R2(config-if)#no ppp pap sent-username
将R1断开后,在开启,
R1(config)#int s1/0
R1(config-if)#shutdown
*Jul 21 03:54:27.563: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
*Jul 21 03:54:28.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
(注意:R1的s1/0接口shutdown后,需等待接口信息提示down后在做操作。)
R1(config-if)#no shutdown
R1的debug 信息如下:
*Jul 21 03:56:53.811: %SYS-5-CONFIG_I: Configured from console by console
*Jul 21 03:56:55.143: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*Jul 21 03:56:55.143: Se1/0 PPP: Using default call direction
*Jul 21 03:56:55.143: Se1/0 PPP: Treating connection as a dedicated line
*Jul 21 03:56:55.143: Se1/0 PPP: Session handle[650000C1] Session id[221]
*Jul 21 03:56:55.143: Se1/0 PPP: Authorization required
*Jul 21 03:56:55.183: Se1/0 CHAP: O CHALLENGE id 154 len 23 from "R1"
*Jul 21 03:56:55.183: Se1/0 CHAP: I CHALLENGE id 5 len 23 from "R2"
*Jul 21 03:56:55.183: Se1/0 CHAP: Using hostname from unknown source
*Jul 21 03:56:55.183: Se1/0 CHAP: Using password from AAA
*Jul 21 03:56:55.183: Se1/0 CHAP: O RESPONSE id 5 len 23 from "R1"
*Jul 21 03:56:55.191: Se1/0 CHAP: I RESPONSE id 154 len 23 from "R2"
*Jul 21 03:56:55.191: Se1/0 PPP: Sent CHAP LOGIN Request
*Jul 21 03:56:55.191: Se1/0 PPP: Received LOGIN Response PASS
*Jul 21 03:56:55.195: Se1/0 PPP: Sent LCP AUTHOR Request
*Jul 21 03:56:55.195: Se1/0 PPP: Sent IPCP AUTHOR Request
*Jul 21 03:56:55.195: Se1/0 LCP: Received AAA AUTHOR Response PASS
*Jul 21 03:56:55.195: Se1/0 IPCP: Received AAA AUTHOR Response PASS
*Jul 21 03:56:55.195: Se1/0 CHAP: O SUCCESS id 154 len 4
*Jul 21 03:56:55.203: Se1/0 CHAP: I SUCCESS id 5 len 4
*Jul 21 03:56:55.203: Se1/0 PPP: Sent CDPCP AUTHOR Request
*Jul 21 03:56:55.203: Se1/0 PPP: Sent IPCP AUTHOR Request
[left]*Jul 21 03:56:55.203: Se1/0 CDPCP: Received AAA AUTHOR Response PASS[/left][left]*Jul 21 03:56:56.203: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up[/left][left]由debug信息可知,R1和R2使用的是chap认证。[/left][left]总结:[/left][left]1.如果路由器使用两种验证方式,那么在链路协商阶段将先用第一种验证方式进行验证。[/left][left]2.如果对方建议使用第二种验证方式或者只是简单拒绝使用第一种方式,那么将采用第二种方式。[/left][left] 3.如果第一种验证方式失败,则不会进行第二种验证方式。[/left][left]…………………………………………我是无敌分割线…………………………………………[/left][left]关于数据库中的密码加密[/left][left]查看R1的配置[/left][left]R1#show running-config[/left][left]hostname R1[/left][left]![/left][left]username R2 password 0 happy[/left][left]clock timezone CET 1[/left][left]ip subnet-zero[/left][left]no ip domain lookup[/left][left]![/left][left]……………………[/left][left] 此时R1的数据库中的密码,以明文的方式存在,这样很不安全。如果路由器的配置信息被他人窃取。则很容易被人破解,后果不堪设想。[/left][left]为此,我们可以在路由器上输入如下命令来解决[/left][left]R1(config)#service password-encryption[/left][left]此时,再查看R1的配置信息[/left][left]R1#show running-config[/left][left]hostname R1[/left][left]![/left][left]username R2 password 7 000C12161442[/left][left]clock timezone CET 1[/left][left]ip subnet-zero[/left][left]no ip domain lookup[/left][left]![/left][left]……………………[/left][left]这时R1的数据库中的密码信息,就以MD5加密的方式显示,这样提高了密码的安全性。[/left][left]这种加密数据库中密码显示的操作,不会影响到PAP和CHAP认证的正常工作。[/left][left]…………………………………………我是无敌分割线…………………………………………[/left][left]最后看下PPP的一个小特性[/left][left]我们看下这个32位的主机路由会有什么特性。[/left][left]在R1的s1/0中配置IP地址[/left][left]R1(config-if)#ip add 172.16.1.1255.255.255.0[/left][left]R1(config-if)#encapsulation ppp[/left][left]R1(config-if)#no shutdown[/left][left]在R2的s2/0中配置IP地址[/left][left]R2(config-if)#ip add 192.168.1.1255.255.255.0[/left][left]R2(config-if)#encapsulation ppp[/left][left]R2(config-if)#no shutdown[/left][left]一般cisco设备的链路中使用HDLC,不同网段是不能ping通的。我们看看在PPP的链路中会有什么效果[/left][left]查看R1的路由表[/left][left]R1#show ip route[/left][left] ……………………………………[/left][left] 172.16.0.0/24 is subnetted, 1 subnets[/left][left]C 172.16.1.0 is directly connected, Serial1/0[/left][left] 192.168.1.0/32 is subnetted, 1 subnets[/left][left]C 192.168.1.1 is directly connected, Serial1/0[/left][left]查看R2的路由表[/left][left]R2#show ip route[/left][left] ……………………………………[/left][left] 172.16.0.0/32 is subnetted, 1 subnets[/left][left]C 172.16.1.1 is directly connected, Serial2/0[/left][left]C 192.168.1.0/24 is directly connected, Serial2/0[/left][left]由此可见,两端的IP地址都以32位的主机路由形式存放在路由表中[/left][left]使用R1的172.16.1.1 ping R2的192.168.1.1[/left][left]R1#ping 192.168.1.1[/left][left]Type escape sequence to abort.[/left][left]Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:[/left][left]!!!!![/left][left]Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms[/left][left]由此可见不同网段之间的IP地址,在PPP的链路下是可以互通的。[/left][left] 这时因为PPP协议协商过程中,会相互将本端口的IP地址发送给对端,而对端只是将其当作对方的标识而已,用于确认对方是谁。当协商结束,链路建立时,双方会将对方端口的IP地址装入自己的路由表中,并以32位的主机形式存在。[/left][left]作用:[/left][left] 节省IP地址。[/left][left] 1.由于现在IPv4地址的缺少,为了节省IP地址为目的。我们借用环回口的地址用在该接口上。在接口下使用ip unnumber loopback 0命令,就可以使用环回口的IP地址与对端建立连接。[/left][left] 例如:一个ISP内的局端路由器R2接了很多PC。这时R2要为它们分配地址和路由,使其通过自己与外网相连。如果要为每个连接PC的接口提供一个IP地址,是不是有点浪费了,而且设置相当麻烦。此时可以借用loopback0的地址或其他接口的地址即可。便可以在使用一个地址的情况下,实现多个终端的访问。[/left][left]2.还可以使用31位掩码的IP地址来为两端接口分配IP地址。在点到点的网络中每个子网都会有两个IP地址不能被使用,一个是网络号,一个是广播地址。如果一个网络要划分很多个子网,将造成很多IP地址的浪费。这时,将IP地址用31位掩码划分,只使用网络号和广播地址,来为对端接口分配IP地址,便可达到节省IP地址的目的。[/left][left]注意:[/left][left]1. PPP的32为主机路由不会出现在广播型的网络中,因为以太网接口不能封装PPP。[/left][left]2. 31位的掩码,在其他链路中是不允许被使用,至少30位。只有PPP下可以。[/left][left]3. 只局限于两端都使用PPP的链路上。[/left][left]4. PPP节省地址的方案,现在网络基本上很少使用。了解即可。[/left][left]有些内容可能显示不了,我这儿还有几篇,比较适合初学者学习的资料,如果有需要的话可以M我~~~[/left]
