0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

纪念我的第七个CCNA实验 PPP认证实验操作

Posted at

PPP简介

PPP

PPP属于数据链路层的协议,它主要干的活是针对点对点的路由器连接的数据链路层进行封装。PPP的下面有两个子协议,一个是NCP协议,另外一个是LCP协议。其中NCP是针对网络层的子协议。而LCP是针对数据链路层的子协议。今天我们的实验是要验证PPP的LCP协议中的pap认证和chap认证。

PAP验证方式

PAP验证的主要过程是,两台路由器相互发送对面的用户数据库里面的账号密码,如果发送的用户名和密码在对面的路由器的用户数据库中存在的话,那么认证成功。类似于我们在web应用最常规的用户名,密码登陆。
PAP验证的过程中,用户名和密码都是以明文的方式进行传送的。另外,PAP的验证过程中所发送的密码不支持MD5加密。这就意味着,发送的用户名和密码信息,只能匹配对面路由的常规用户数据库(username ,password___)

CHAP验证方式

CHAP验证就不是单纯的用户名,密码登陆了。首先点对点的路由器双方设定相同的密码X,并且用户名是对方的hostname。CHAP的认证的过程中不会发送用户名和密码的信息。其过程有点类似于SSH的数据传送方式。先是两个点对点的路由器的某一端生成一段名为challenge的随机数。然后把这个随机数发送给另一段的路由器。另一段的路由器拿到这串随机数后和密码X一起做一次md5加密,加密的HASH结果发送给对面的路由器。对面的路由器这个时候也把自己生成的challenge随机数和自己的密码X一起做一次md5加密,加密的HASH结果和对方传来的HASH结果做比较,如果一致那么证明对方拥有自己生成的challenge随机数和与自己相同的密码。

实验

PAP验证方式的实验

スクリーンショット 2018-03-10 14.42.13.png

RT1的设定

Router(config)#hostname RT1
RT1(config)#username syoui password villa
RT1(config)#int s2/0
RT1(config-if)#ip address 172.16.10.1 255.255.255.0
RT1(config-if)#en
RT1(config-if)#encapsulation ppp
RT1(config-if)#ppp au
RT1(config-if)#ppp authentication pa
RT1(config-if)#ppp authentication pap 
RT1(config-if)#ppp pap
RT1(config-if)#ppp pap se
RT1(config-if)#ppp pap sent-username gemo ?
  password  Set outbound PAP password
RT1(config-if)#ppp pap sent-username gemo p
RT1(config-if)#ppp pap sent-username gemo password ruby
RT1(config-if)#no sh

%LINK-5-CHANGED: Interface Serial2/0, changed state to down

RT1一边设定后的RT1的s2/0的状态,可以看到因为另外一边的ppp封装协议还没有设定好,s2/0的LCP处于 Closed的状态

RT1(config-if)#do show interface s2/0
Serial2/0 is down, line protocol is down (disabled)
  Hardware is HD64570
  Internet address is 172.16.10.1/24
  MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, loopback not set, keepalive set (10 sec)
  LCP Closed
  Closed: LEXCP, BRIDGECP, IPCP, CCP, CDPCP, LLC2, BACP
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0 (size/max/drops); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 96 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=down  DSR=down  DTR=down  RTS=down  CTS=down

RT2的设定

Router(config)#hostname RT2
RT2(config)#
RT2(config)#username gemo password ruby
RT2(config)#int s2/0
RT2(config-if)#ip address 172.16.10.2 255.255.255.0
RT2(config-if)#no sh

RT2(config-if)#
%LINK-5-CHANGED: Interface Serial2/0, changed state to up

RT2(config-if)#en
RT2(config-if)#encapsulation ppp
RT2(config-if)#ppp au
RT2(config-if)#ppp authentication pa
RT2(config-if)#ppp authentication pap 
RT2(config-if)#ppp se
RT2(config-if)#ppp pap
RT2(config-if)#ppp pap se
RT2(config-if)#ppp pap sent-username syoui p
RT2(config-if)#ppp pap sent-username syoui password villa
RT2(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up

RT1和RT2边的ppp封装协议设定好以后,RT1的s2/0的状态,可以看到LCP OPEN的状态

RT1(config-if)#do show interface s2/0
Serial2/0 is up, line protocol is up (connected)
  Hardware is HD64570
  Internet address is 172.16.10.1/24
  MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, loopback not set, keepalive set (10 sec)
  LCP Open
  Open: IPCP, CDPCP
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0 (size/max/drops); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 96 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

这个时候我们尝试改掉RT2的用户名和密码,然后在RT2上debug ppp authentication查看pap认证的状态的变化。

RT2(config-if)#no username gemo
RT2(config)#int s2/0
RT2(config-if)#no ppp au
RT2(config-if)#no ppp authentication 
RT2(config-if)#ppp authentication  pap
RT2(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to down

Serial2/0 Using hostname from interface PAP

Serial2/0 Using password from interface PAP

Serial2/0 PAP: O AUTH-REQ id 17 len 15

Serial2/0 PAP: I AUTH-REQ id 17 len 15

Serial2/0 PAP: Authenticating peer

Serial2/0 PAP: Phase is AUTHENTICATING, Unauthenticated User

Serial2/0 PAP: O AUTH-NAK id 17 len 26 msg is "Authentication failed"

Serial2/0 PAP: Phase is FORWARDING, Attempting Forward

我们可以看到在删掉RT2的用户名以后,debug日志中可以看到从RT2传给RT1的认证错误的信息,告诉RT1你传给我的用户名和密码信息是错误的。
接下来我们再把RT2的用户名和密码改为原有的用户名和密码


RT2(config-if)#username gemo password ruby
RT2(config)#
Serial2/0 Using hostname from interface PAP

Serial2/0 Using password from interface PAP

Serial2/0 PAP: O AUTH-REQ id 17 len 15

Serial2/0 PAP: Phase is FORWARDING, Attempting Forward

RT2(config)#
Serial2/0 PAP: I AUTH-REQ id 17 len 15

Serial2/0 PAP: Authenticating peer

Serial2/0 PAP: Phase is FORWARDING, Attempting Forward

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up

RT2(config)#do ping 172.16.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms

RT2(config)#

我们可以看到,s2/0的网口已经正常启用,这是ping对面的IP也能ping通了。在认证不成功的时候,RT2和RT1对相互连接的串口是ping不通的。

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
CHAP验证方式的实验

スクリーンショット 2018-03-10 15.35.44.png

RT1的设定

Router(config)#hostname RT1
RT1(config)#username RT2 se
RT1(config)#username RT2 secret 123
RT1(config)#int s2/0
RT1(config-if)#en
RT1(config-if)#encapsulation ppp
RT1(config-if)#ppp au
RT1(config-if)#ppp authentication ch
RT1(config-if)#ppp authentication chap 
RT1(config-if)#no sh

%LINK-5-CHANGED: Interface Serial2/0, changed state to down

RT2的设定

Router(config)#hostname RT2
RT2(config)#username RT1 se
RT2(config)#username RT1 secret 123
RT2(config)#int s2/0
RT2(config-if)#en
RT2(config-if)#encapsulation pp
RT2(config-if)#encapsulation ppp 
RT2(config-if)#ppp au
RT2(config-if)#ppp authentication ch
RT2(config-if)#ppp authentication chap 
RT2(config-if)#no sh

RT2(config-if)#
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

RT2的s2/0端口状态

RT2(config-if)#do show interface s2/0
Serial2/0 is up, line protocol is up (connected)
  Hardware is HD64570
  MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, loopback not set, keepalive set (10 sec)
  LCP Open
  Open: CDPCP
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0 (size/max/drops); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 96 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

可以看到LCP的状态已经是Open了。

我们尝试改变RT2的hostname,然后重启RT2的ppp authentication,发现ping不通对面的RT1了,我们把RT2的hostname改回来以后,发现立马又可以ping通对面的RT1了。

RT2(config-if)#hostname RRRR
RRRR(config)#do ping 172.16.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms

RRRR(config)#int s2/0
RRRR(config-if)#no ppp au
RRRR(config-if)#no ppp authentication ch
RRRR(config-if)#no ppp authentication ch
RRRR(config-if)#ppp au
RRRR(config-if)#ppp authentication ch
RRRR(config-if)#ppp authentication chap 
RRRR(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to down

RRRR(config-if)#do ping 172.16.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

RRRR(config-if)#hostname RT2
RT2(config)#hostname RT2
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed 
RT2(config)#do ping 172.16.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?