PPP验证

PPP验证
验证验证
验证 一
一一
一：
：：
：配置步骤
配置步骤配置步骤
配置步骤：
：：
：
1：
检验每台路由器是否已经分配主机名。要分配主机名，可在全局配置模式下输入
hostname name
此名称必须与链路另一端的身份验证路由器所期望的用户名匹配
2：
在每台路由器上使用username name password password全局配置命令定义期望从远程路由
器获得的用户名和口令。
如：username R3 password cisco
注意：R3为对端
对端对端
对端路由器的主机名，cisco为密码，两端的密码必须相同。
3：使用PPP authentication {chap | chap pap | pap chap | pap}接口配置命令配置PPP身份认证。
二
二二
二：
：：
：PPP证方式
证方式证方式
证方式：
：：
： PAP 和
和和
和CHAP
PAP是双向握手，它为远程节点提供了建立其身份标识的简单方法。PAP仅在初始链路
建立期间执行。
CHAP使用三次握手的CHAP发生在链路建立时，并在其后定期使用三次握手来检验远
程节点的标识。
如果配置了PPP authentication chap pap 路由器将尝试试使用chap验证所有的传入的
PPP会话。如果远程设备不支持chap，路由器将尝试使用pap验证ppp会话。如果设备不
支持chap也不支持pap,身份验证将失败。并且ppp会话将关闭。
如果配置了PPP authentication pap chap 路由器将尝试试使用pap验证所有的传入的
PPP会话。如果远程设备不支持pap，路由器将尝试使用chap验证ppp会话。如果设备不
支持任何一种协议,身份验证将失败。并且ppp会话将关闭。
注
注注
注：
：：
：如果同时启用了两种方法
如果同时启用了两种方法如果同时启用了两种方法
如果同时启用了两种方法，
，，
，链路协商期间会要求使用指定的第一种方法
链路协商期间会要求使用指定的第一种方法链路协商期间会要求使用指定的第一种方法
链路协商期间会要求使用指定的第一种方法。
。。
。如果对
如果对如果对
如果对
方提出要求使用第二种方法或拒绝第一种方法
方提出要求使用第二种方法或拒绝第一种方法方提出要求使用第二种方法或拒绝第一种方法
方提出要求使用第二种方法或拒绝第一种方法，
，，
，则会尝试第二种方法
则会尝试第二种方法则会尝试第二种方法
则会尝试第二种方法。
。。
。
三
三三
三：
：：
：配置
配置配置
配置

实验环境：GNS 注：在模拟器下看不到debug输入
设备：cisco c3600路由器两台

R2配置：
Hostname R2
username R3 password cisco
interface Serial0/0 ip address 10.1.1.1 255.255.255.0
encapsulation ppp
serial restart-delay 0

clock rate 64000 //需要在其中一个配置时钟
ppp authentication chap
R3配置:
Hostname R3
username R2 password cisco
interface Serial0/0
ip address 10.1.1.2 255.255.255.0
encapsulation ppp
serial restart-delay 0
no fair-queue
ppp authentication chap
四
四四
四：
：：
：检验身份验证
检验身份验证检验身份验证
检验身份验证
通过debug ppp authentication查看认证协商过程，下面是协议配置错误时的输出
（此时还没有配置两个路由器的主机名，也没有添加认证用户名和密码。）
Mar 1 00:05:24.323: Se0/0 AUTH: Timeout 10
*Mar 1 00:05:24.323: Se0/0 CHAP: O CHALLENGE id 11 len 27 from "Router"
*Mar 1 00:05:24.455: Se0/0 CHAP: I CHALLENGE id 11 len 27 from "Router"
*Mar 1 00:05:24.455: Se0/0 CHAP: Ignoring Challenge with local name
*Mar 1 00:05:34.339: Se0/0 AUTH: Timeout 11
*Mar 1 00:05:36.451: Se0/0 PPP: Authorization required
*Mar 1 00:05:36.611: Se0/0 CHAP: O CHALLENGE id 12 len 27 from "Router"
*Mar 1 00:05:36.675: Se0/0 CHAP: I CHALLENGE id 12 len 27 from "Router"
*Mar 1 00:05:36.675: Se0/0 CHAP: Ignoring Challenge with local name
验证成功后，打开debug，可以先将其中一端的端口shutdown,然后no shutdown,这时就会
出现认证协商的消息输出
消息方向：”I”表示传入数据包，”O”表示传出数据包
以下是验证成功的debug输出：
*Mar 1 00:58:05.567: Se0/0 PPP: Authorization required
*Mar 1 00:58:05.579: Se0/0 CHAP: O CHALLENGE id 54 len 23 from "R2"
*Mar 1 00:58:05.579: Se0/0 CHAP: I CHALLENGE id 55 len 23 from "R3"
*Mar 1 00:58:05.587: Se0/0 CHAP: Using hostname from unknown source
*Mar 1 00:58:05.587: Se0/0 CHAP: Using password from AAA
*Mar 1 00:58:05.587: Se0/0 CHAP: O RESPONSE id 55 len 23 from "R2"
*Mar 1 00:58:05.683: Se0/0 CHAP: I RESPONSE id 54 len 23 from "R3"
*Mar 1 00:58:05.687: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar 1 00:58:05.691: Se0/0 PPP: Received LOGIN Response PASS
*Mar 1 00:58:05.695: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar 1 00:58:05.699: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:58:05.703: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:58:05.707: Se0/0 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:58:05.711: Se0/0 CHAP: O SUCCESS id 54 len 4 *Mar 1 00:58:05.711: Se0/0 CHAP: I SUCCESS id 55 len 4
*Mar 1 00:58:05.715: Se0/0 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:58:05.719: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:58:05.783: Se0/0 PPP: Sent IPCP AUTHOR Request
五
五五
五：
：：
：检验
检验检验
检验PPP协商
协商协商
协商
R2#debug ppp negotiation
PPP protocol negotiation debugging is on

*Mar 1 01:08:51.235: Se0/0 LCP: I CONFREQ [Open] id 142 len 15
*Mar 1 01:08:51.235: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 01:08

:51.235: Se0/0 LCP: MagicNumber 0x004AFB08 (0x0506004AFB08)
*Mar 1 01:08:51.239: Se0/0 CDPCP: State is Closed
*Mar 1 01:08:51.239: Se0/0 IPCP: State is Closed
*Mar 1 01:08:51.243: Se0/0 PPP: Phase is TERMINATING
*Mar 1 01:08:51.247: Se0/0 PPP: Authorization required
*Mar 1 01:08:51.247: Se0/0 PPP: Phase is ESTABLISHING
*Mar 1 01:08:51.247: Se0/0 LCP: O CONFREQ [Open] id 148 len 15
*Mar 1 01:08:51.247: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 01:08:51.251: Se0/0 LCP: MagicNumber 0x004B0D3D (0x0506004B0D3D)
*Mar 1 01:08:51.251: Se0/0 LCP: O CONFACK [Open] id 142 len 15
*Mar 1 01:08:51.251: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 01:08:51.251: Se0/0 LCP: MagicNumber 0x004AFB08 (0x0506004AFB08)
*Mar 1 01:08:51.255: Se0/0 IPCP: Remove route to 10.1.1.2
*Mar 1 01:08:51.347: Se0/0 LCP: I CONFACK [ACKsent] id 148 len 15
*Mar 1 01:08:51.347: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 01:08:51.347: Se0/0 LCP: MagicNumber 0x004B0D3D (0x0506004B0D3D)
*Mar 1 01:08:51.351: Se0/0 LCP: State is Open
*Mar 1 01:08:51.351: Se0/0 PPP: Phase is AUTHENTICATING, by both
*Mar 1 01:08:51.351: Se0/0 CHAP: O CHALLENGE id 55 len 23 from "R2"
*Mar 1 01:08:51.351: Se0/0 CHAP: I CHALLENGE id 56 len 23 from "R3"
*Mar 1 01:08:51.359: Se0/0 CHAP: Using hostname from unknown source
*Mar 1 01:08:51.363: Se0/0 CHAP: Using password from AAA
*Mar 1 01:08:51.363: Se0/0 CHAP: O RESPONSE id 56 len 23 from "R2"
*Mar 1 01:08:51.363: Se0/0 CHAP: I RESPONSE id 55 len 23 from "R3"
*Mar 1 01:08:51.367: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
*Mar 1 01:08:51.371: Se0/0 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Mar 1 01:08:51.371: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar 1 01:08:51.375: Se0/0 PPP: Received LOGIN Response PASS
*Mar 1 01:08:51.379: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
*Mar 1 01:08:51.379: Se0/0 PPP: Phase is AUTHENTICATING, Authenticated User
*Mar 1 01:08:51.383: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar 1 01:08:51.387: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 01:08:51.391: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar 1 01:08:51.391: Se0/0 IPCP: Received AAA AUTHOR Response PASS *Mar 1 01:08:51.395: Se0/0 CHAP: O SUCCESS id 55 len 4
*Mar 1 01:08:51.395: Se0/0 CHAP: I SUCCESS id 56 len 4
*Mar 1 01:08:51.399: Se0/0 PPP: Phase is UP
*Mar 1 01:08:51.399: Se0/0 IPCP: O CONFREQ [Closed] id 1 len 10
*Mar 1 01:08:51.399: Se0/0 IPCP: Address 10.1.1.1 (0x03060A010101)
*Mar 1 01:08:51.403: Se0/0 PPP: Sent CDPCP AUTHOR Request
*Mar 1 01:08:51.403: Se0/0 PPP: Process pending ncp packets
*Mar 1 01:08:51.411: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 01:08:51.411: Se0/0 CDPCP: O CONFREQ [Closed] id 1 len 4
*Mar 1 01:08:51.507: Se0/0 IPCP: I CONFREQ [REQsent] id 1 len 10
*Mar 1 01:08:51.507: Se0/0 IPCP: Address 10.1.1.2 (0x03060A0

10102)
*Mar 1 01:08:51.507: Se0/0 AAA/AUTHOR/IPCP: Start. Her address 10.1.1.2, we want 0.0.0.0
*Mar 1 01:08:51.511: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 01:08:51.515: Se0/0 AAA/AUTHOR/IPCP: Reject 10.1.1.2, using 0.0.0.0
*Mar 1 01:08:51.519: Se0/0 AAA/AUTHOR/IPCP: Done. Her address 10.1.1.2, we want 0.0.0.0
*Mar 1 01:08:51.519: Se0/0 IPCP: O CONFACK [REQsent] id 1 len 10
*Mar 1 01:08:51.519: Se0/0 IPCP: Address 10.1.1.2 (0x03060A010102)
*Mar 1 01:08:51.523: Se0/0 IPCP: I CONFACK [ACKsent] id 1 len 10
*Mar 1 01:08:51.523: Se0/0 IPCP: Address 10.1.1.1 (0x03060A010101)
*Mar 1 01:08:51.523: Se0/0 IPCP: State is Open
*Mar 1 01:08:51.527: Se0/0 CDPCP: I CONFREQ [REQsent] id 1 len 4
*Mar 1 01:08:51.527: Se0/0 CDPCP: O CONFACK [REQsent] id 1 len 4
*Mar 1 01:08:51.535: Se0/0 IPCP: Install route to 10.1.1.2
*Mar 1 01:08:53.411: Se0/0 CDPCP: Timeout: State ACKsent
*Mar 1 01:08:53.411: Se0/0 CDPCP: O CONFREQ [ACKsent] id 2 len 4
*Mar 1 01:08:53.499: Se0/0 CDPCP: I CONFACK [ACKsent] id 2 len 4
*Mar 1 01:08:53.499: Se0/0 CDPCP: State is Open
六
六六
六：
：：
：检验
检验检验
检验PPP封装配置
封装配置封装配置
封装配置
R2#sh interfaces s0/0
Serial0/0 is up, line protocol is up
Hardware is M4T
Internet address is 10.1.1.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, CDPCP, crc 16, loopback not set
Keepalive set (10 sec)
Restart-Delay is 0 secs
Last input 00:00:45, output 00:00:04, output hang never
Last clearing of "show interface" counters 01:09:48
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
816 packets input, 23848 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
846 packets output, 24371 bytes, 0 underruns
0 output errors, 0 collisions, 60 interface resets
0 output buffer failures, 0 output buffers swapped out
59 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up