在CISCO路由器上实现CHAP认证
在配置PPP验证时有PAP和CHAP的选择,其中PAP为明文传送用户名和口令,不安全;而CHAP则采用哈希值进行验证,口令不会在网上传送,所以安全性比较高。 网络拓扑图如下所示:  说明:PC1的以太口(192.168.10.2)与Router1的以太网接口(192.168.10.1)相连;Router1的Serial 0/0(10.10.10.1)与Router2的Serial 0/0(10.10.10.2)相连,Router1为DCE,Router2为DTE;Router2的以太网接口(192.168.20.1)与PC2的以太口(192.168.20.2)相连。路由协议采用静态路由,路由器为模拟的Cisco3640. 一、Router1的配置如下: Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname Router1 Router1(config)#interface ethernet 0/0 Router1(config-if)#ip address 192.168.10.1 255.255.255.0 Router1(config-if)#no shutdown %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up Router1(config-if)#exit Router1(config)#interface serial 0/0 Router1(config-if)#ip address 10.10.10.1 255.255.255.252 Router1(config-if)#clock rate 64000 Router1(config-if)#no shutdown %LINK-3-UPDOWN: Interface Serial0/0, changed state to up %LINK-3-UPDOWN: Interface Serial0/0, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down Router1(config-if)#exit %LINK-3-UPDOWN: Interface Serial0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up Router1(config)#ip route 192.168.20.0 255.255.255.0 10.10.10.1 Router1(config)#username Router2 password cisco Router1(config)#interface serial 0/0 Router1(config-if)#encapsulation ppp %LINK-3-UPDOWN: Interface Serial0/0, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down Router1(config-if)#ppp authentication chap Router1(config-if)#exit Router1(config)#exit Router1#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] %LINK-3-UPDOWN: Interface Serial0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up ================================================================ 二、Router2的配置如下: Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname Router2 Router2(config)#interface ethernet 0/0 Router2(config-if)#ip address 192.168.20.1 255.255.255.0 Router2(config-if)#no shutdown %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up Router2(config-if)#exit Router2(config)#interface serial 0/0 Router2(config-if)#ip address 10.10.10.2 255.255.255.252 Router2(config-if)#no shutdown %LINK-3-UPDOWN: Interface Serial0/0, changed state to up Router2(config-if)#exit Router2(config)#ip route 192.168.10.0 255.255.255.0 10.10.10.2 %LINK-3-UPDOWN: Interface Serial0/0, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down Router2(config)#username Router1 password cisco Router2(config)#interface serial 0/0 Router2(config-if)#encapsulation ppp Router2(config-if)#ppp authentication chap %LINK-3-UPDOWN: Interface Serial0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up Router2(config-if)#exit Router2(config)#exit Router2#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] ================================================================== 三、测试网络的连通性: 1、在PC1上pingPC2=》C:>ping 192.168.20.2 Pinging 192.168.20.2 with 32 bytes of data: Reply from 192.168.20.2: bytes=32 time=60ms TTL=241 Reply from 192.168.20.2: bytes=32 time=60ms TTL=241 Reply from 192.168.20.2: bytes=32 time=60ms TTL=241 Reply from 192.168.20.2: bytes=32 time=60ms TTL=241 Reply from 192.168.20.2: bytes=32 time=60ms TTL=241 Ping statistics for 192.168.20.2: Packets: Sent = 5, Received = 5, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 50ms, Maximum = 60ms, Average = 55ms 2、在PC2上pingPC1=》C:>ping 192.168.10.2 Pinging 192.168.10.2 with 32 bytes of data: Reply from 192.168.10.2: bytes=32 time=60ms TTL=241 Reply from 192.168.10.2: bytes=32 time=60ms TTL=241 Reply from 192.168.10.2: bytes=32 time=60ms TTL=241 Reply from 192.168.10.2: bytes=32 time=60ms TTL=241 Reply from 192.168.10.2: bytes=32 time=60ms TTL=241 Ping statistics for 192.168.10.2: Packets: Sent = 5, Received = 5, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 50ms, Maximum = 60ms, Average = 55ms ==================================================================== 四、查看Serial 0/0的相关信息: 1、Router1#show interfaces serial 0/0 Serial0/0 is up, line protocol is up ------接口与协议均已开启 Hardware is HD64570 Internet address is 10.10.10.1/30 MTU 1500 bytes, BW 1544 Kbit, DLY 1000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) LCP Open -----开启 Open: IPCP, CDPCP ------开启 Last input 00:00:00, output 00:00:00, output hang never Last clearing of show interface counters never Queueing strategy: fifo 2、Router2#show interfaces serial 0/0 Serial0/0 is up, line protocol is up -----接口与协议均已开启 Hardware is HD64570 Internet address is 10.10.10.2/30 MTU 1500 bytes, BW 1544 Kbit, DLY 1000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) LCP Open -------开启 Open: IPCP, CDPCP -------开启 Last input 00:00:00, output 00:00:00, output hang never Last clearing of show interface counters never Queueing strategy: fifo 总结: pap是通过发送用户名和密码进行匹配,我们就必须使用sent-username ** password **这条命令,并且这个用户名和密码可以通过抓包软件抓到,是明文传输的 chap的认证过程(单向认证,R2为服务器端,R1为客户端) R2首先发一个挑战包给R1,包的内容包括:01(标识符,表示挑战分组)+ID(序列号)+随机数+自己的用户名(R2) R1接收到这个包后,将挑战包的用户名(R2),随机数,ID和本地数据库的密码gairuhe进行计算,得出MD5的值,然后发送给R2 这个回应的分组包括:02(回应标识符)+ID(和R2的一样)+hash(MD5的计算值)+自己的用户名(R1) R2收到后,通过ID找到它发送的挑战包,然后把ID,随机数,以及密码(通过本地数据库查找R1对应的密码)进行计算,得出MD5的值 然后验证 |
wzxf536
博客统计信息
热门文章
最新评论
友情链接