實(shí)驗(yàn)十三 路由器廣域網(wǎng)PPP封裝CHAP驗(yàn)證配置

1、實(shí)驗(yàn)十三、路由器廣域網(wǎng)PPP封裝CHAP驗(yàn)證配置一、實(shí)驗(yàn)?zāi)康?.掌握CHAP驗(yàn)證配置2.理解驗(yàn)證過程二、應(yīng)用環(huán)境基于安全的考慮,需要路由器雙方經(jīng)過驗(yàn)證后才能建立連接三、實(shí)驗(yàn)設(shè)備1.DCR-1751 兩臺(tái)2.CR-V35MT 一條3.CR-V35FC 一條四、實(shí)驗(yàn)拓?fù)?五、實(shí)驗(yàn)要求Router-A Router-B接口IP地址接口IP地址S1/1DTE 192.168.1.2 DCE 192.168.1.1 S1/0帳號(hào)密碼帳號(hào)密碼digitalchina RouterBdigitalchina RouterA六、實(shí)驗(yàn)步驟第一步Router-A的配置Router>enable !進(jìn)入特權(quán)模

2、式Router #config !進(jìn)入全局配置模式Router-A !修改機(jī)器名Router _config#hostnameRouter-A_config#username RouterB password digitallchina !設(shè)置帳號(hào)密碼Router-A_config#interface s1/1 !進(jìn)入接口模式Router-A_config_s1/0#ip address 192.168.1.1 255.255.255.0 !配置IP地址PPP !封裝PPP協(xié)議Router-A_config_s1/1#encapsulationchap !設(shè)置驗(yàn)證方式authenticatio

3、nRouter-A_config_s1/0#pppRouter-A_config_s1/0#ppp chap hostname RouterA !設(shè)置發(fā)送給對(duì)方驗(yàn)證的帳號(hào)Router-A_config_s1/0#physical-layer speed 64000 !配置DCE時(shí)鐘頻率Router-A_config_s1/0#noshutdownRouter-A_config_s1/0#Z !按ctrl + z進(jìn)入特權(quán)模式第二步:查看配置Router-A#shows1/1 !查看接口狀態(tài)interfaceSerial1/0 is up, line protocol is down!對(duì)端沒有配置

4、,所以協(xié)議是DOWN Mode=Sync DCE Speed=64000 !查看DCEDTR=UP,DSR=UP,RTS=UP,CTS=DOWN,DCD=UPInterface address is 192.168.1.1/24!查看IP地址MTU 1500 bytes, BW 64 kbit, DLY 2000 usecEncapsulation prototol PPP, link check interval is 10 sec !查看封裝協(xié)議Octets Received0, Octets Sent 0Frames Received 0, Frames Sent 0, Link-che

5、ck Frames Received0Link-check Frames Sent 89, LoopBack times 0Frames Discarded 0, Unknown Protocols Frames Received 0, Sent failuile 0Link-check Timeout 0, Queue Error 0, Link Error 0,60 second input rate 0 bits/sec, 0 packets/sec!60 second output rate 0 bits/sec, 0 packets/sec!0 packets input, 0 by

6、tes, 8 unused_rx, 0 no buffer0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort8 packets output, 192 bytes, 0 unused_tx, 0 underrunserror:0 clock, 0 gracePowerQUICC SCC specific errors:0 recv allocb mblk fail 0 recv no buffer0 transmitter queue full 0 transmitter hwqueue_full第三步:Router-B的

7、配置Router>enable !進(jìn)入特權(quán)模式Router #config !進(jìn)入全局配置模式Router-B !修改機(jī)器名Router _config#hostnameRouter-B_config#username RouterA password digitalchina !設(shè)置帳號(hào)密碼Router-B_config#interface s1/0 !進(jìn)入接口模式Router-B_config_s1/0#ip address 192.168.1.2 255.255.255.0 !配置IP地址PPP !封裝PPP協(xié)議Router-B_config_s1/1#encapsulationa

8、uthenticationchap !設(shè)置驗(yàn)證方式Router-A_config_s1/0#pppRouter-A_config_s1/0#ppp chap hostname RouterB !設(shè)置發(fā)送給對(duì)方驗(yàn)證的帳號(hào)shutdownRouter-B_config_s1/0#noRouter-B_config_s1/0#Z !按ctrl + z進(jìn)入特權(quán)模式第四步:查看配置interfaces1/0 !查看接口狀態(tài)Router-A#showSerial1/0 is up, line protocol is up!接口和協(xié)議都是upMode=Sync DTE!查看DTEDTR=UP,DSR=UP,

9、RTS=UP,CTS=DOWN,DCD=UPInterface address is 192.168.1.2/24!查看IP地址MTU 1500 bytes, BW 64 kbit, DLY 2000 usecEncapsulation prototol PPP, link check interval is 10 sec !查看封裝協(xié)議Octets Received0, Octets Sent 0Frames Received 0, Frames Sent 0, Link-check Frames Received0Link-check Frames Sent 89, LoopBack ti

10、mes 0Frames Discarded 0, Unknown Protocols Frames Received 0, Sent failuile 0Link-check Timeout 0, Queue Error 0, Link Error 0,60 second input rate 0 bits/sec, 0 packets/sec!60 second output rate 0 bits/sec, 0 packets/sec!0 packets input, 0 bytes, 8 unused_rx, 0 no buffer0 input errors, 0 CRC, 0 fra

11、me, 0 overrun, 0 ignored, 0 abort8 packets output, 192 bytes, 0 unused_tx, 0 underrunserror:0 clock, 0 gracePowerQUICC SCC specific errors:0 recv allocb mblk fail 0 recv no buffer0 transmitter queue full 0 transmitter hwqueue_full第五步:測試連通性Router-A#ping 192.168.1.2PING 192.168.1.2 (192.168.1.2: 56 da

12、ta bytes!- 192.168.1.2 ping statistics -5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max = 20/22/30 ms七、注意事項(xiàng)和排錯(cuò)1.雙方密碼一定要一致,發(fā)送的帳號(hào)要和對(duì)方帳號(hào)數(shù)據(jù)庫中的帳號(hào)對(duì)應(yīng)2.不要忘記配置DCE的時(shí)鐘頻率八、配置序列Router-A的序列Building configuration.Current configuration:!version 1.3.2Eservice timestamps log dateservic

13、e timestamps debug dateno service password-encryption!hostname Router-A!username routerB password 0 digital !interface FastEthernet0/0ip address 192.168.2.1 255.255.255.0 no ip directed-broadcast!interface Ethernet2/0no ip addressno ip directed-broadcastduplex half!interface Serial1/0no ip addressno

14、 ip directed-broadcastphysical-layer speed 64000!interface Serial1/1ip address 192.168.1.1 255.255.255.0 no ip directed-broadcastencapsulation pppppp chap hostname routerA physical-layer speed 64000!interface Async0/0no ip addressno ip directed-broadcast!九、共同思考1.CHAP和PAP這兩種驗(yàn)證有什么不同?2.CHAP驗(yàn)證是否非常安全?十、課

15、后練習(xí)嘗試配置不同的密碼,觀察是否還能建立連接十一、相關(guān)命令詳解ppp authentication使用接口配置命令ppp authentication指定接口上使用CHAP或PAP協(xié)議的次序,使用no ppp authentication 取消認(rèn)證。ppp authentication chap|ms-chap|paplist-name|defaultcallinno ppp authentication參數(shù)參數(shù)參數(shù)說明chap 在串行接口上激活CHAPpap 在串行接口上激活PAPms-chap 在串行接口上激活MS-CHAPlist-name (可選的與AAA/TACACS+一起使用,指

16、定執(zhí)行認(rèn)證時(shí)使用的TACACS+方法列表名。如果沒有指定列表名,系統(tǒng)將使用缺省列表。使用命令aaa authentication ppp創(chuàng)建列表。default(可選的與AAA/TACACS+一起使用。使用命令aaa authentication ppp 創(chuàng)建缺省缺省列表。callin (可選的指定僅對(duì)收到的呼叫(calls進(jìn)行認(rèn)證。進(jìn)行PPP認(rèn)證時(shí),chap、ms-chap和 pap三者必選其一,或者三者任意組合。缺省不進(jìn)行PPP認(rèn)證。命令模式接口配置態(tài)使用說明 一旦你激活了 CHAP,MS-CHAP 和 PAP 認(rèn)證中的一個(gè),兩個(gè)或者全部激活,本地路由器在允許 遠(yuǎn)端設(shè)備傳送數(shù)據(jù)之前,要求對(duì)

17、其身份進(jìn)行驗(yàn)證. (1 PAP 認(rèn)證要求遠(yuǎn)端設(shè)備發(fā)送一個(gè)名字/口令對(duì), 來檢驗(yàn)在本地用戶數(shù)據(jù)庫或 者遠(yuǎn)程 TACACS/TACACS+數(shù)據(jù)庫中是否有一個(gè)匹配項(xiàng). (2 CHAP 認(rèn)證發(fā)送一個(gè) challenge 給遠(yuǎn)端設(shè)備, 遠(yuǎn)端設(shè)備必須使用公有密鑰對(duì) challenge 進(jìn)行加密并把加密結(jié)果和自身名字以 response 報(bào)文的形式返回給 本地路由器.本地路由器使用遠(yuǎn)端設(shè)備名字在本地用戶數(shù)據(jù)庫或者遠(yuǎn)程 TACACS/TACACS+數(shù)據(jù)庫中查找到相應(yīng)的密鑰,用它對(duì)最初 challenge 進(jìn)行加密,并驗(yàn)證該加密結(jié)果是否與遠(yuǎn)端設(shè)備返回的結(jié)果相同. 你可能以任何次序激活 PAP,MS-CHAP 和 CHAP.如果兩種方法都被激活了,那么使用第 一個(gè)方法在鏈路協(xié)商階段提出請(qǐng)求. 如果遠(yuǎn)端建議使用第二種方法或者簡單地拒絕了第一種 方法,將使用第二種方法.一些遠(yuǎn)端設(shè)備僅僅支持 CHA