Experimental principle

The reason why PPP protocol has become a more extensive protocol in Wan is that it provides CHAP,PAP and other verification protocols to better ensure the security of the network
PAP is two handshake authentication. The user name and secret are repeatedly sent to the authenticator on the link until the authentication passes or the connection is terminated. PAP is not a secure authentication protocol because the password is sent in clear text
CHAP is a three-time handshake. It only transmits the user name on the link and does not transmit the secret. Therefore, its security is higher than that of PAP. After the link is established, the verifier sends a "challenge" message to the verified party. The verified party passes through the hash algorithm once and returns a value to the verifier. The verifier compares its own hash algorithm with the value returned by the verified party. If the two match, Then the verification passes, otherwise the verification fails and the connection is terminated

Experimental purpose

Understand the authentication method of PPP PAP
Understand CHAP authentication methods
Understand the difference between PPAP authentication and CHAP authentication

Experimental topology

Experimental steps

1. Basic configuration, test connectivity
2. Build ospf network

[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.255

[R2]ospf 1
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 10.0.2.0 0.0.0.255

[R3]ospf 1
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]ne	
[R3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255

At this time, pc1 and pc2 can communicate
3. Configure PAP authentication of PPP
R3 is an authenticated router and R1 is an authenticated router

#The authentication method is PAP and the authentication domain name is huawei
[R3]int s4/0/0
[R3-Serial4/0/0]ppp authentication-mode pap domain huawei
[R3-Serial4/0/0]quit
#Execute aaa and enter aaa view
[R3]aaa
#Create authentication scheme huawei_1, and enter the authentication view
[R3-aaa]authentication-scheme huawei_1
Info: Create a new authentication scheme.
#Configure the authentication mode as local authentication	
[R3-aaa-authen-huawei_1]authentication-mode local
[R3-aaa-authen-huawei_1]quit
#Create the domain as Huawei and enter the domain view
[R3-aaa]domain huaweiyu
Info: Success to create a new domain.	
#The authentication scheme of the configuration domain is huawei_1. This should be consistent with the one created earlier
[R3-aaa-domain-huaweiyu]authorization-scheme huawei_1
#Return to the aaa view and configure the user name and password for peer authentication
[R3-aaa-domain-huaweiyu]quit
[R3-aaa]local-user R1@huaweiyu password cipher Huawei
Info: Add a new user.
[R3-aaa]local-user R1@huaweiyu service-type ppp
[R3-aaa]quit
#Close the connection interfaces of R3 and R1, then reconnect and negotiate to check the link status and connectivity
[R3]int s4/0/0
[R3-Serial4/0/0]shutdown
[R3-Serial4/0/0]undo shutdown 

At this time, R1 and R3 cannot communicate, and authentication needs to be configured on the connected interface of R1

[R1]int s4/0/0. 
[R1-Serial4/0/0]ppp pap local-user R1@huaweiyu password cipher Huawei

At this time, it has been up

Test the connectivity of pc1 and pc2

4. Configure ppp chap authentication
PPP can easily obtain user name and password by capturing packets
Delete the original PAP authentication and keep the domain name unchanged

[R3]int s4/0/0
[R3-Serial4/0/0]undo ppp authentication-mode 
[R1]int s4/0/0
[R1-Serial4/0/0]undo ppp pap local-user

After deletion, configure the authentication mode of ppp under the s4/0/0 interface of the authentication device R3 as chap

[R3]int s4/0/0
[R3-Serial4/0/0]undo ppp authentication-mode 
[R3-Serial4/0/0]ppp authentication-mode CHAP
[R3-Serial4/0/0]quit

#The configuration is stored locally. The user name used for peer authentication is R1 and the password is huawei. Other configurations remain unchanged

[R3]aaa
[R3-aaa]local-user R1 password cipher huawei
Info: Add a new user.
[R3-aaa]local-user R1 service-type ppp

After configuration, close the interfaces of R1 and R3 for a period of time and then open them

[R3]int s4/0/0
[R3-Serial4/0/0]shutdown
[R3-Serial4/0/0]undo shutdown 

At this time, the protocol status of R1 and R3 is abnormal and cannot communicate, because the corresponding user name and password have not been configured on R1

[R1]int s4/0/0
[R1-Serial4/0/0]ppp chap user 
[R1-Serial4/0/0]ppp chap password cipher huawei

R1 and R3 can be ping ed

The connection between pc2 and pc1 is also normal