<?xml:namespace prefix = v ns = "urn:schemas-microsoft-com:vml" /><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

拓补如上

 

PAPPassword Authentication Protocol,口令认证协议)实例配置:

 

R1

Router>en

Router#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#HOstname R1

R1(config)#interface s1/0

R1(config-if)#ip address 12.1.1.1 255.255.255.0

R1(config-if)#encapsulation ppp     --封装协议PPP

R1(config-if)#no sh

R1(config-if)#ppp authentication pap     --PPP认证类型PAP

R1(config-if)#exit

R1(config)#username cisco password cisco     --建立本地用户作为对端的身份认证用户

R1(config)#end

R1#

 

 

 

 

R2

 

Router>

Router>en

Router#conf t

Router(config)#hostname R2

R2(config)#interface s1/0

R2(config-if)#encapsulation ppp

R2(config-if)#ip address 12.1.1.2 255.255.255.0

R2(config-if)#no sh

 

R2(config-if)#ppp pap sent-username cisco password cisco    --设置对端用户密码

R2(config-if)#end

 

验证:

r1(config-if)#

6d00h: Se1 PPP: Treating connection as a dedicated line

6d00h: Se1 LCP: O CONFREQ [Closed] id 87 len 14

6d00h: Se1 LCP:    AuthProto PAP (0x0304C023)

6d00h: Se1 LCP:    MagicNumber 0x1F1A390F (0x05061F1A390F)

6d00h: Se1 PPP: I pkt type 0xC021, datagramsize 14

6d00h: Se1 PPP: I pkt type 0xC021, datagramsize 18

6d00h: Se1 LCP: I CONFREQ [REQsent] id 34 len 10

6d00h: Se1 LCP:    MagicNumber 0xFFBD6ADC (0x0506FFBD6ADC)

6d00h: Se1 LCP: O CONFACK [REQsent] id 34 len 10

6d00h: Se1 LCP:    MagicNumber 0xFFBD6ADC (0x0506FFBD6ADC)

6d00h: Se1 LCP: I CONFACK [ACKsent] id 87 len 14

6d00h: Se1 LCP:    AuthProto PAP (0x0304C023)

6d00h: Se1 LCP:    MagicNumber 0x1F1A390F (0x05061F1A390F)

6d00h: Se1 PPP: I pkt type 0xC023, datagramsize 20

6d00h: Se1 PAP: I AUTH-REQ id 3 len 16 from "cisco"

d00h: Se1 PAP: Authenticating peer cisco 6

6d00h: Se1 PAP: O AUTH-ACK id 3 len 5

6d00h: Se1 IPCP: O CONFREQ [Closed] id 3 len 10

6d00h: Se1 PPP: I pkt type 0x8021, datagramsize 14

6d00h: Se1 PPP: I pkt type 0x8207, datagramsize 8

6d00h: Se1 IPCP:    Address 12.1.1.1 (0x03060C010101)

6d00h: Se1 CDPCP: O CONFREQ [Closed] id 3 len 4

6d00h: Se1 PPP: I pkt type 0x8021, datagramsize 14

6d00h: Se1 PPP: I pkt type 0x8207, datagramsize 8

6d00h: Se1 IPCP: I CONFREQ [REQsent] id 3 len 10

6d00h: Se1 IPCP:    Address 12.1.1.2 (0x03060C010102)

6d00h: Se1 IPCP: O CONFACK [REQsent] id 3 len 10

6d00h: Se1 IPCP:    Address 12.1.1.2 (0x03060C010102)

6d00h: Se1 CDPCP: I CONFREQ [REQsent] id 3 len 4

6d00h: Se1 CDPCP: O CONFACK [REQsent] id 3 len 4

6d00h: Se1 IPCP: I CONFACK [ACKsent] id 3 len 10

6d00h: Se1 IPCP:    Address 12.1.1.1 (0x03060C010101)

6d00h: Se1 CDPCP: I CONFACK [ACKsent] id 3 len 4

6d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up

6d00h: Se1 PPP: I pkt type 0x0207, datagramsize 279

6d00h: Se1 PPP: I pkt type 0x0207, datagramsize 279

6d00h: Se1 PPP: I pkt type 0x0207, datagramsize 279

 

 

 

CHAPChallenge Handshake Authentication Protocol,质询握手认证协议)实例配置:

R1

 

r1(config)#

r1(config)#interface s1/0

r1(config-if)#ip address 12.1.1.1 255.255.255.0

r1(config-if)#encapsulation ppp

r1(config-if)#ppp authentication chap     --PPP认证CHAP

r1(config-if)#ppp chap hostname r1      --hostname指对方所要建立的用户名

r1(config-if)#no sh

r1(config-if)#exit

r1(config)#username r2 password cisco    --建立对方指定用户帐户

r1(config)#

 

 

R2

 

r2(config)#interface s1/0

r2(config-if)#ip address 12.1.1.2 255.255.255.0

r2(config-if)#no sh

r2(config-if)#encapsulation ppp

r2(config-if)#ppp authentication chap

r2(config-if)#ppp chap hostname r2       

r2(config-if)#exit

r2(config)#username r1 password cisco

r2(config)#

 

注意:我用颜色注明的,两边是吻合的,因为CHAP是两边互相建立对方的指定的帐户,如果没有手到指定,默认是用HOSTNAME作为用户名。

 

 

验证:

6d01h: Se1 PPP: Outbound cdp packet dropped, line protocol not up

6d01h: Se1 PPP: Outbound cdp packet dropped, line protocol not up

6d01h: Se1 PPP: Outbound cdp packet dropped, line protocol not up

6d01h: Se1 PPP: I pkt type 0xC021, datagramsize 19

6d01h: Se1 LCP: I CONFREQ [Closed] id 13 len 15

6d01h: Se1 LCP:    AuthProto CHAP (0x0305C22305)

6d01h: Se1 LCP:    MagicNumber 0xFFCD7512 (0x0506FFCD7512)

6d01h: Se1 PPP: Treating connection as a dedicated line

6d01h: Se1 LCP: O CONFREQ [Closed] id 38 len 15

6d01h: Se1 LCP:    AuthProto CHAP (0x0305C22305)

6d01h: Se1 LCP:    MagicNumber 0x1F2A4361 (0x05061F2A4361)

6d01h: Se1 LCP: O CONFACK [REQsent] id 13 len 15

6d01h: Se1 LCP:    AuthProto CHAP (0x0305C22305)

6d01h: Se1 PPP: I pkt type 0xC021, datagramsize 19

6d01h: Se1 LCP:    MagicNumber 0xFFCD7512 (0x0506FFCD7512)

6d01h: Se1 LCP: I CONFACK [ACKsent] id 38 len 15

6d01h: Se1 LCP:    AuthProto CHAP (0x0305C22305)

6d01h: Se1 LCP:    MagicNumber 0x1F2A4361 (0x05061F2A4361)

6d01h: Se1 PPP: I pkt type 0xC223, datagramsize 27

6d01h: Se1 CHAP: Using alternate hostname r1

6d01h: Se1 CHAP: O CHALLENGE id 2 len 23 from "r1"

6d01h: Se1 CHAP: I CHALLENGE id 2 len 23 from "r2"

6d01h: %LINK-3-UPDOWN: Interface Serial1, changed state to up

6d01h: Se1 CHAP: Using alternate hostname r1

6d01h: Se1 PPP: I pkt type 0xC223, datagramsize 27

6d01h: Se1 CHAP: O RESPONSE id 2 len 23 from "r1"

6d01h: Se1 CHAP: I RESPONSE id 2 len 23 from "r2"

6d01h: Se1 CHAP: O SUCCESS id 2 len 4

6d01h: Se1 PPP: I pkt type 0xC223, datagramsize 8

6d01h: Se1 CHAP: I SUCCESS id 2 len 4

6d01h: Se1 PPP: I pkt type 0x8021, datagramsize 14

6d01h: Se1 PPP: I pkt type 0x8207, datagramsize 8

6d01h: Se1 IPCP: O CONFREQ [Closed] id 2 len 10

6d01h: Se1 IPCP:    Address 12.1.1.1 (0x03060C010101)

6d01h: Se1 CDPCP: O CONFREQ [Closed] id 2 len 4

6d01h: Se1 PPP: I pkt type 0x8021, datagramsize 14

6d01h: Se1 PPP: I pkt type 0x8207, datagramsize 8

6d01h: Se1 IPCP: I CONFREQ [REQsent] id 2 len 10

6d01h: Se1 IPCP:    Address 12.1.1.2 (0x03060C010102)

6d01h: Se1 IPCP: O CONFACK [REQsent] id 2 len 10

6d01h: Se1 IPCP:    Address 12.1.1.2 (0x03060C010102)

6d01h: Se1 CDPCP: I CONFREQ [REQsent] id 2 len 4

6d01h: Se1 CDPCP: O CONFACK [REQsent] id 2 len 4

6d01h: Se1 IPCP: I CONFACK [ACKsent] id 2 len 10

6d01h: Se1 IPCP:    Address 12.1.1.1 (0x03060C010101)

6d01h: Se1 CDPCP: I CONFACK [ACKsent] id 2 len 4

6d01h: Se1 PPP: I pkt type 0x0207, datagramsize 279

6d01h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up

6d01h: Se1 PPP: I pkt type 0x0207, datagramsize 279

6d01h: Se1 PPP: I pkt type 0x0207, datagramsize 279

 

 

总结:

PPP 的两种认证方式对比 , 一种是 PAP ,一种是 CHAP 。相对来说 PAP 的认证方式安全性没有 CHAP 高。 PAP 在传输 password 是明文的,而 CHAP 在传输过程中不传输密码,取代密码的是 hash (哈希值)。 PAP 认证是通过两次握手实现的,而 CHAP 则是通过 3 次握手实现的。 PAP 认证是被叫提出连接请求,主叫响应。而 CHAP 则是主叫发出请求,被叫回复一个数据包,这个包里面有主叫发送的随机的哈希值,主叫在数据库中确认无误后发送一个连接成功的数据包连接。