One of the most important networking protocols is the Point-to-Point Protocol (PPP). Not only can you use it to transport many network protocols over point-to-point links, but it also provides capabilities to add authentication and link quality testing, allocate IP addresses, and provide error detection. The four major parts to PPP are network datagram encapsulation (such as
HDLC), link setup, termination and maintenance, and network layer protocol establishment and configuration. When you establish a PPP link, the link setup and maintenance protocol, LCP, is used. LCP is responsible for PPP link establishment, termination, and maintenance. When the link is established, different parameters are exchanged and the link can optionally be quality tested. After the link establishment phase, the Network Control Protocols (NCP) takes over and facilitates the transfer of Layer 3 protocols, such as IP.
To configure a serial link to use PPP, simply set the encapsulation:
Router(config-if)# encapsulation ppp
One of the features of PPP encapsulation is the capability to authenticate the link. PPP can use either Password Authentication Protocol (PAP) or Challenge-Handshake Authentication Protocol (CHAP). CHAP authentication is considered more securethan PAP authentication because the username and password are not transferred in the clear as they are in PAP. Instead CHAP
uses more secure hashs and frequent challenges that add security to the authentication process.
To configure PAP on a serial interface, the authentication credentials must be created first. This is typically done by creating a username and password combination on each router. The interface then contains a command that specifies what will be sent to the peer router. If the two match, authentication will succeed:
CONFIG-SET: PPP one-way PAP authentication
Example: R2 connects to R1, where R1 authentication R2
R1#
username R2C password cisco
!
interface s1/0
encapsulation ppp
ppp pap authentication pap
ppp max-bad-auth 3
R2#
interface s2/1
ppp pap sent-username R2C password cisco
ppp max-bad-auth 3
CHAP authentication is configured slightly different because the hostname of the routers are involved. A username is created matching the hostname of the peer router, and the password supplied must match:
- By default, the router uses its hostname to identify itself to the peer, but can be changed with "ppp chap hostname".
- A interface level CHAP hostname overwrites the routers global hostname.
- If the same host name is specified on both sides, the session authentication will fail, as the router ignores a authentication-request from its own hostname. To get around that issue the hidden command "no ppp chap ignoreus".
- A global password is always tried first and then a interface-level password will be tried.
- CHAP is defined as a one-way authentication method, but if applied in both directions it create two-way authentication.
CONFIG-SET : PPP two-way CHAP authentication
note password must match between peers
R2#
username CCIE password 0 cisco
!
interface Serial0/2
ip address 10.0.24.2 255.255.255.0
encapsulation ppp
ppp authentication chap
R4#
username R2 password 0 cisco
!
interface Serial1/0
ip address 10.0.24.4 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname CCIE
Unfortunately, configuring PAP and CHAP on a PPP over Frame Relay is not be as easy as enabling or disabling the authentication. When dealing with Frame Relay interfaces, a virtual-template must be configured and applied to the interface.
1. First, a virtual-template interface must be created, and it’s encapsulation must be PPP:
Router(config)# hostname R1
R1(config)# int virtual-template <#>
R1(config-if)# encapsulation ppp
The IP address from the serial interface is moved to the virtual-template:
R1(config)# int
R1(config-if)# no ip address
R1(config-if)# int virtual-template <#>
R1(config-if)# ip address
The frame-relay interface-dlci is programmed to reference the virtual-template:
R1(config-if)# frame-relay interface-dlci
Now authentication can be configured on the virtual-template as before:
R1(config-if)# ppp authentication chap
or
R1(config-if)# ppp authentication pap
No comments:
Post a Comment