Where security is important, PPP provides two optional authentication protocols. These the two authentication protocols are the Password Authentication Protocol (PAP ) and Challenge Handshake Authentication Protocol (CHAP).
INTRODUCTION:
If the two sides cannot agree on the correct parameters, then the connection is terminated. Once the link is established, the two sides authenticate each other using the authentication protocol decided on during LCP negotiation. Authentication must be successful prior to starting NCP negotiation.
1. Password Authentication Protocol (PAP )
2. Challenge Handshake Authentication Protocol (CHAP).
It is the most widely used and most popular WAN protocol because it offers control of data link set-up, dynamic assignment of IP addresses, network protocol multiplexing, link testing, link configuration, error detection and negotiation options for network-layer address and data compression.
- A method for encapsulating datagrams over serial links.
- Link Control Protocol (
CHAP AUTHENTICATION:
CHAP AUTHENTICATION, ON THE OTHER HAND , PERIODICALLY VERIFIES THE IDENTITY OF THE REMOTE NODE USING A THREE-WAY PPP link
is established, the host sends a "challenge" message to the remote node.
The remote node responds with a value calculated using a one-way hash function. The host checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection is terminated.
Challenge-Handshake Authentication Protocol (CHAP) authenticates a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider.
CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network.
Note: Microsoft has implemented a variant of the Challenge-handshake authentication protocol, called MS-CHAP, which does not require either peer to know the plaintext.
CHAP is an authentication scheme used by Point to Point Protocol (PPP ) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake.
This happens at the time of establishing the initial link, and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password).
- After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.
- The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined.
- The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.
- At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.
ADVANTAGES OVER - CHAP. PAP :
The only advantage PAP has over CHAP is a slim one. With PAP , a different password can be used by the each of the routers involved in the authentication. CHAP requires that the password be the same. We'll see as we examine CHAP authentication.
 |
HOW TO CONFIGURE PPP ON CISCO ROUTER:
1. Get to the interface configuration mode and issue the following command,
Router(config-if)#encapsulation ppp
2. If you want to configure authentication (which is almost always the case), go through the following steps:
- Choose the authentication type; Password Authentication Protocol (
Router(config-if)#ppp authentication XXX
Where XXX is the authentication type which can be: pap, chap, pap chap, or chap pap. The last two choices are to use the other authentication type when the first one fails.
CHAP is strongly recommended over PAP for two reasons. First, PAP sends the username and password in plaintext, while CHAP sends hashed challenges only.
Second is that CHAP does an operation similar to periodic re-authentication in the middle of the communication session such that it provides more security than PAP .
- Set a username and a password that the remote router would use to connect to your local router. You can define many username-password pairs for many
Router(config)#username USER password PASS
Where USER is the host name of the remote router, and PASS is its password. Issue this command once for each PPP connection.
For example: If you are connecting RouterA to RouterB and RouterC, on RouterA issue this command once for each remote router.
- Now you can set the username and password that you local router would use to access the remote router. For
Router(config-if)#ppp pap sent-username USER passwrod PASS
For CHAP, two commands are used,
Router(config-if)#ppp chap hostname USER
Router(config-if)#ppp chap password PASS
The usernames and passwords are case sensitive, so be careful when writing them. This way, you will have to write the hostname and secret password of the remote router in your local router and write the hostname and secret password of your local router into your remote using the 'username' command.
If you do not set the username and password that will be sent from the local router to the remote router for authentication, the router will use its hostname and secret password instead.
3. You can monitor the quality of the serial link that is using PPP with the following command,
Router(config-if)#ppp quality PERCENT
Where PERCENT is the minimum accepted link quality. If the link quality drops below PERCENT, the link will be shutdown and considered bad.
4. If the available bandwidth is small, you might consider compressing the data being transmitted using the following command,
Router(config-if)#ppp compress YYY
Where YYY is the compression type which can be predictor or stacker.
Note: The compression might affect the system performance because it increases the CPU load.
Check the CPU load with ‘show process cpu’ and disable the compression if the CPU load is over 65%.
5. To troubleshoot PPP , you can use the following commands,
Router#debug ppp negotioations
Router#debug ppp packets
Router#debug ppp errors
Router#debug ppp authentication
COMMANDES REFERENCE FOR PPP , PAP AND CHAP:
1. Enabling PPP :
Router(config)#interface interface name and n°
Router(config-if)#encapsulation ppp
2. Configuring PAP :
Router(config)#username name password password
Name = hostname of the remote router
Password = password of the remote router
This command specifies what we expect from the remote router.
Router(config-if)#ppp authentication pap [ callin ]
The callin option says the router that the ppp authentication pap callin
command is configured on will only authenticate the other side during an
incoming call. For an outgoing call, it will not authenticate the other side.
Router(config-if)#ppp pap sent-username username password password
This command specifies what the router send to the remote router.
3. Configuring CHAP :
Router(config)#ppp chap hostname name (optional)
Configure the send hostname. Without this command, the router uses its
hostname.
Router(config)#username name password password
Indicate witch password to employ for a given username.
Router(config-if)#ppp authentication chap [ callin ]
4. Configuring PPP load balancing :
Router(config-if)#ppp multilink
5. Configuring compression :
Router(config-if)#compress [predictor|stac|mppc]
6. Configuring TCP Header Compression :
Router(config-if)#ip tcp header-compression
7. Configuring error dectection :
Router(config-if)#ppp quality percentage
Percentage = under this percentage of quality, the link will be taken down.
8.1 Troubleshooting PPP :
Router#debug ppp authentication
displays the authentication exchange sequence.
Router#debug ppp negotiation
displays ppp packets transmitted during ppp startup, where ppp options are
negotiated.
Router#debug ppp error
displays protocol errors and error statistics associated with ppp connection,
negotiation and operation.
Router#debug ppp packet
displays ppp packets being sent and received
Router#debug ppp chap
displays CHAP packet exchanges.
SIMPLE EXAMPLE FOR CONFIGURING PPP AUTHENTICATION CHAP:
We Have Two Router R1 And Router R2, They Are Connected By Their Serial 0/0 Interfaces. R1 As A PPP PAP Server, And The R2 Device As The PPP PAP Client.
Router R1 Requires Authentication, And Router R2 Will Be Respond With The Correct Authentication Information.
On Router R1 PPP Server Configuration:
R1#conf t
Enter configuration commands, one per line. End with CNTL /Z.
R1(config)#username ROUTER2 password cisco1
R1(config)#int s0/0
R1(config-if)#encapsulation ppp
*Mar 1 00:04:47.359: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
R1(config-if)#ppp authentication pap
R1(config-if)#end
On Router R2 Configuration of the PAP client:
R2#conf t
Enter configuration commands, one per line. End with CNTL /Z.
R2(config)#int s0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp pap sent-username ROUTER2 password cisco1
R2(config-if)#end
R2#
*Mar 1 00:08:40.539: %SYS-5-CONFIG_I: Configured from console by console
R2#
*Mar 1 00:08:41.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R2#
Server And Client Commands Above Carefully. Also Please Notice When The Commands Are Entered On The Client Link Is Established changed state to up.
Now We Are Going To Configuration CHAP We Will Have The Router R2 Device As A The CHAP Server And The Router R1 Device Function As The CHAP Client.
Now Router R2 Go For CHAP Server Commands:
R2#conf t
Enter configuration commands, one per line. End with CNTL /Z.
R2(config)#username R1 password cisco1
R2(config)#int s0/0
R2(config-if)#ppp authentication chap
R2(config-if)#
*Mar 1 00:14:06.407: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
R2(config-if)#end
R2#
Now CHAP Client Configuration On Router R1:
R1#conf t
Enter configuration commands, one per line. End with CNTL /Z.
R1(config)#username R2 password cisco1
R1(config)#
*Mar 1 00:16:43.983: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R1(config)#
Troubleshooting PPP :
To debug a PPP PAP issue use the debug ppp negotiation and debug ppp authentication commands.
R1 & R2#debug ppp authentication
R1 & R2#debug ppp negotiation
R1 & R2#debug ppp error
R1 & R2#debug ppp packet
R1 & R2#debug ppp cha
TO STOP DEBUG # DEBUG OFF COMMAND
TO STOP DEBUG # DEBUG OFF COMMAND
NOTE: CHAP requires you to configure a username / password combination for any remote device that will be involved in authentication. (We're assuming that the routers have already been configured with their names via the global hostname command.) Both routers will use the password CISCO.
R1:
username R2 password CISCO
int bri0
encapsulation ppp
ppp authentication chap
R2:
username R1 password CISCO
int bri0
encapsulation ppp
ppp authentication chap
WHY CHAP AUTHENTICATION REQUIRES THE SAME PASSWORD ON BOTH ROUTERS:
Remember how PAP sends the password over the line in clear-text? CHAP does not actually send the password over the line at all. Instead, CHAP runs a hash algorithm using the password and a random number. It is the result of this hash that is passed over the link.
The remote router receives the hash result, and runs the exact same algorithm. If the result is the same, the authentication attempt will be successful. If the result is different, the authentication will fail. For this reason, the passwords must be the same.
DEBUG THE CONNECTION IF AUTHENTICATION FAILS:
Since two passwords are involved, the chances of one of the passwords being mistyped doubles. If you configure CHAP and the link dials but drops almost immediately, there's an authentication problem. Run debug ppp negotiation and attempt to dial the line again. The output of this particular debug will show you where the problem is.
TO CONFIGURE CHAP AUTHENTICATION, COMPLETE THESE STEPS:
- On the interface, issue the encapsulation ppp command.
- Enable the use of CHAP authentication on both routers with the ppp authentication chap command.
- Configure the usernames and passwords. To do so, issue the username username password password command, where username is the hostname of the peer. Ensure that:
- Passwords are identical at both ends.
- The router name and password are exactly the same, because they are case-sensitive.
Note: By default, the router uses its hostname to identify itself to the peer. However, this CHAP username can be changed through the ppp chap hostname command.
CHAP is defined as a one-way authentication method. However, you use CHAP in both directions to create a two-way authentication. Hence, with two-way CHAP, a separate three-way handshake is initiated by each side.
In the Cisco CHAP implementation, by default, the called party must authenticate the calling party (unless authentication is completely turned off). Therefore, a one-way authentication initiated by the called party is the minimum possible authentication. However, the calling party can also verify the identity of the called party, and this results in a two-way authentication.
One-way authentication is often required when you connect to non-Cisco devices.
For one-way authentication, configure the ppp authentication chap callin command on the calling router.
This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSA, MCSE, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.
No comments:
Post a Comment