Shulou(Shulou.com)06/01 Report--

There are two authentication methods in PPP: pap and chap, which can be used alone or knot.

It can be used together. And one-way authentication can be carried out as well as two-way authentication.

Pap is a two-way handshake. First, the authenticated party initiates the authentication request and sets its own user name and password with

Send it to the main authenticator in clear text. Then, the primary authenticator accepts the request and looks for a corresponding entry in its own local user database, and if so, accepts the request. If not, refuse the request. This authentication method is insecure and can easily lead to password disclosure. However, compared with CHAP authentication, it saves valuable link bandwidth. For example, the current Internet dial-up authentication access method is PAP authentication.

Chap is a three-way handshake. Authentication is first initiated by the primary authenticator to send a "challenge" to the authenticated party.

Strings (random sequences processed by summary algorithms). Then, after receiving the authentication request from the primary authenticator, the authenticated party sends back the user name and password (this password is the password encrypted by MD5 according to the "challenge" string) to the primary authenticator. Finally, after receiving the response "challenge" string, the primary authenticator looks up whether there is a corresponding entry in its local user database, and MD5 encrypts the password corresponding to the user name according to the "challenge" string, and then compares the encryption result with the encryption result sent by the authenticated party. If the two are the same, the authentication is considered to have passed, and if different, the authentication is considered to have failed. Let's talk about pap authentication first.

1. One-way authentication

R1 will only be configured as follows (verify server side)

Set user name and password in configuration mode (user name and password are optional)

R1 (config) # username a password 123

Encapsulation of the protocol and specification of authentication mode in port mode

R1 (config-if) # encapsulation ppp R1 (config-if) # ppp authentication pap R2 is only configured as follows (verify the client)

Encapsulate the protocol in port mode and send authentication information (username and password set by the other party)

R2 (config-if) # encapsulation ppp

R2 (config-if) # ppp pap sent-username a password 123

In this way, the one-way authentication of pap can be completed.

2. Two-way authentication

(in fact, after completing the above steps, think carefully, if both sides are both server and client ports, this will be two-way authentication, and you don't have to look at the one below to know how to match two-way authentication.)

R1 is only configured as follows (both the authentication server and the client)

Set user name and password in configuration mode (user name and password are optional)

R1 (config) # username a password 123

Encapsulate the protocol in port mode, specify the authentication method and send authentication information (username and password set by the other party)

R1 (config-if) # encapsulation ppp R1 (config-if) # ppp authentication pap

R1 (config-if) # ppp pap sent-username b password 456 R2 is only configured as follows (both authentication server and client)

Set user name and password in configuration mode (user name and password are optional)

R2 (config) # username b password 456

Encapsulate the protocol in port mode, specify the authentication method and send authentication information (username and password set by the other party)

R2 (config-if) # encapsulation ppp R2 (config-if) # ppp authentication pap

R2 (config-if) # ppp pap sent-username a password 123

In this way, we can complete the two-way authentication of pap. Let's talk about chap authentication.

1. One-way authentication

R1 will only be configured as follows (verify server side)

Set user name and password in configuration mode (user name and password are optional)

R1 (config) # username a password 123

Encapsulation of the protocol and specification of authentication mode in port mode

R1 (config-if) # encapsulation ppp R1 (config-if) # ppp authentication chap R2 is only configured as follows (verify the client)

User name and password specification for protocol encapsulation and authentication in port mode (remember not to send a user name and password here, but to send a string with an encrypted password)

R2 (config-if) # encapsulation ppp R2 (config-if) # ppp chap hostname a R2 (config-if) # ppp chap password 123

In this way, the one-way authentication of chap can be completed.

2. Two-way authentication

(everything here is the same as pap, please note)

R1 is only configured as follows (both the authentication server and the client)

Set the user name and password in configuration mode (the user name can be arbitrary and different, but the password must be the same, because the final check is the hash function of the same password after encryption. If the passwords are different, authentication must fail)

R1 (config) # username a password 123

Encapsulation of the protocol and specification of authentication mode in port mode

R1 (config-if) # encapsulation ppp R1 (config-if) # ppp authentication chap

R1 (config-if) # ppp chap hostname b / / you only need to specify a user name here, because the secret

Both sides know that.

R2 only does the following configuration (both the authentication server and the client)

Set the user name and password in configuration mode (ibid.)

R2 (config) # username b password 123

User name and password specification for protocol encapsulation and authentication in port mode (remember not to send a user name and password here, but to send a string of encrypted passwords, which can also explain why there is no sent-username command here)

R2 (config-if) # encapsulation ppp R2 (config-if) # ppp authentication chap R2 (config-if) # ppp chap hostname a / / Ibid

In this way, the two-way authentication of chap can be completed.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.