PPP: Authentication using CHAP
·
PPP
supports 2 types of authentication, PAP and CHAP
·
PAP
sends password in clear-text
·
CHAP
sends password encrypted.
·
In
this post, let me configure password using CHAP
·
Here,
R1 is the server, Authenticator and R2 is the client, authentee.
·
We
need to understand who is authenticating who.
·
When
we dial-in for internet connection, the ISP authenticates the user, not the
vice versa.
·
So,
Server asks the password and the client shares it.
·
Let
me take a small topology to configure this.
R1-----s1/0---------------------s1/0----R2
10.1.1.1----------------------------Client
R1(config)#username
cisco password cisco
R1(config-if)#do
show run int ser1/0
Building
configuration...
Current
configuration : 158 bytes
!
interface
Serial1/0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
no peer default ip address
serial restart-delay 0
ppp authentication chap
end
R1(config-if)#
R2(config-if)#do
show run int ser1/0
Building
configuration...
Current
configuration : 157 bytes
!
interface
Serial1/0
ip address 10.1.1.2 255.255.255.0
encapsulation ppp
serial restart-delay 0
ppp chap hostname cisco
ppp chap password 0 cisco
end
R2(config-if)#
R1(config-if)#do
debug ppp authentication
PPP
authentication debugging is on
R1(config-if)#shut
R1(config-if)#
*Mar 1 02:48:54.611: %LINK-5-CHANGED: Interface
Serial1/0, changed state to administratively down
*Mar 1 02:48:55.611: %LINEPROTO-5-UPDOWN: Line
protocol on Interface Serial1/0, changed state to down
R1(config-if)#no
shut
R1(config-if)#
*Mar 1 02:49:04.663: %LINK-3-UPDOWN: Interface
Serial1/0, changed state to up
R1(config-if)#
*Mar 1 02:49:04.667: Se1/0 PPP: Using default call
direction
*Mar 1 02:49:04.667: Se1/0 PPP: Treating connection
as a dedicated line
*Mar 1 02:49:04.667: Se1/0 PPP: Session
handle[F6000023] Session id[36]
*Mar 1 02:49:04.671: Se1/0 PPP: Authorization required
*Mar 1 02:49:04.787: Se1/0 CHAP: O CHALLENGE id 1 len 23 from "R1"
*Mar 1 02:49:04.887: Se1/0 CHAP: I RESPONSE id 1 len 26 from "cisco"
*Mar 1 02:49:04.891: Se1/0 PPP: Sent CHAP LOGIN
Request
*Mar 1 02:49:04.895: Se1/0 PPP: Received LOGIN Response PASS
*Mar 1 02:49:04.899: Se1/0 PPP: Sent LCP AUTHOR
Request
*Mar 1 02:49:04.903: Se1/0 PPP: Sent IPCP AUTHOR
Request
R1(config-if)#
*Mar 1 02:49:04.907: Se1/0 LCP: Received AAA
AUTHOR Response PASS
*Mar 1 02:49:04.907: Se1/0 IPCP: Received AAA
AUTHOR Response PASS
*Mar 1 02:49:04.911: Se1/0 CHAP: O SUCCESS id 1
len 4
*Mar 1 02:49:04.915: Se1/0 PPP: Sent CDPCP AUTHOR
Request
*Mar 1 02:49:04.919: Se1/0 CDPCP: Received AAA
AUTHOR Response PASS
*Mar 1 02:49:04.959: Se1/0 PPP: Sent IPCP AUTHOR
Request
R1(config-if)#
*Mar 1 02:49:05.911: %LINEPROTO-5-UPDOWN: Line
protocol on Interface Serial1/0, changed state to up
R1(config-if)#
R2(config-if)#do
debug ppp authentication
PPP
authentication debugging is on
R2(config-if)#
*Mar 1 02:49:04.719: Se1/0 PPP: Authorization
required
*Mar 1 02:49:04.727: Se1/0 PPP: No authorization
without authentication
*Mar 1 02:49:04.727: Se1/0 CHAP: I CHALLENGE id 1 len 23 from "R1"
*Mar 1 02:49:04.735: Se1/0 CHAP: Using hostname from interface CHAP
*Mar 1 02:49:04.735: Se1/0 CHAP: Using password from interface CHAP
*Mar 1 02:49:04.735: Se1/0 CHAP: O RESPONSE id 1 len 26 from "cisco"
*Mar 1 02:49:04.923: Se1/0 CHAP: I SUCCESS id 1 len 4
R2(config-if)#
R1(config-if)#do show ip int bri ser1/0
Interface IP-Address OK? Method Status Protocol
Serial1/0 10.1.1.1 YES manual up up
R1(config-if)#
R1(config-if)#do ping 10.1.1.2
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 4/24/60 ms
R1(config-if)#
R2(config-if)#do show ip int bri ser1/0
Interface IP-Address OK? Method Status Protocol
Serial1/0 10.1.1.2 YES manual up up
R2(config-if)#
R2(config-if)#do ping 10.1.1.1
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 4/16/36 ms
R2(config-if)#
No comments:
Post a Comment