ppp链路认证实验

实验拓扑

实验需求

路由器A和B通过专线相连，路由器A和B相连网络的掩码为/30网段，两台路由器能通信在路由器A与B上实现PAP认证，使两台路由器能互通在路由器A与B上实现CHAP认证，使两台路由器能互通；

注意：认证者为R2，被认证者为R1；

实验思路

给两边路由器配置好IP地址，通过Ping测试联通性设置PAP单向认证，通过Ping测试联通性配置PAP双向认证，通过Ping测试联通性配置CHAP单向认证，通过Ping测试联通性配置CHAP双向认证，通过Ping测试联通性

实验步骤

1 配置IP 进行测试联通

办事处

Router>enRouter#conf terEnter configuration commands,one per line.End with CNTL/Z.Router( config)#int s1/2Router( config-if)#ip add 192.168.1.1 255.255.255.252Router( config-if)#no shut

总部

Router>enRouter#conf terEnter configuration commands,one per line.End with CNTL/Z.Router(config)#int s1/2Router(config-if)#ip add 192.168.1.2 255.255.255.252Router( config-if))#no shut

测试

总部路由器

Router( config-if)#doping192.168.1.1Type escape sequence to abort.Sending 5，100-byteICMP Echos to 192.168.1.1，timeout is 2 seconds:!!!!!Success rate is 100 percent(5/5)，round-trip min/avg/max = 16/19/21ms

办事处路由器

Router( config-if)#do ping 192.168.1.2Type escape sequence to abort.Sending 5，100-byte ICMP Echos to 192.168.1.2，timeout is 2 seconds:!! !!!Router( config-if)#Success rate is 100 percent(5/5)，round-trip min/avg/max = 18/19/20 ms

2 单向PAP认证

总部

Router( config)#username lsy password 123Router( config)#ints1/2Router( config-if)#enRouter( config-if)#encapsulation pppRouter( config-if)#*Aug 19 03:57:26.539:%LINEPROTO-5-UPDOWN:Line protocol on Interface Serial1/2,changed state to downRouter( config-if)#ppp authentication pap

到办事处路由器先进行ping是否还能通信

Router( config )#do ping192.168.1.2Type escape sequence to abort.Sending 5，100-byteICMP Echos to 192.168.1.2，timeout is 2 seconds:.....Successrate is_0 percent(0/5)Router( config)#此时是无法ping通Router ( config）#ints1/2Router( config-if)#enRouter( config-if)#encapsulation pppRouter( config-if)#ppp pap sent-username lsy pasRouter( config-if)#ppp pap sent-username lsy password123*Aug 19 04:02:16.890:%LINEPROTO-5-UPDOWN:Line protocol on Interface Serial1/2,changed state to up

Router( config-if)#do ping192.168.1.2Type escape sequence to abort.Sending 5,100-byte ICMP Echos to 192.168.1.2，timeout is 2 seconds:!!!!!Success rate is 100 percent(5/5)，round-trip min/avg/max = 7/1/15 ms

3 双向PAP认证

先关闭两个路由器上的单向pap认证

总部和办事处

Router ( config-if)#no encapsulation pppRouter( config-if)#do show interfaces s1/2Serial1/2isup, line protocol is upHardware is M4TInternet address is 192.168.1.2/30MTU 1500 bytes,BW1544Kbit/sec,DLY 20000 usec,reliability 255/255，txload 1/255，rxload 1/255EncapsulationHDLC,crc 16, loopback not setKeepalive set(10 sec)Restart-Delay is 0 secsLast input 00:00:02，output 00:00:12，output hang neverLast clearing of "show interface" counters 00:00:04Queueing strategy : fifooutput queue:0/40( size/max)，，5 minute input rate 0 bits/sec,0 packets/sec5minute output rate 0 bits/sec,0 packets /secl packets input, 16 bytes,0 no bufferReceived 1 broadcasts(0IP multicasts)runts,0giants,0 throttles0input errors,0 CRC，0 frame,0 overrun,0 ignored,0 abortpackets output,0 bytes,0 underruns0 output errors, 0 collisions,0 interface resetsl unknown protocol drops0 output buffer failures,0 output buffers swapped outInput queue:0/75/0/0(size/max/drops/flushes); Total output drops: 0

总部

Router( config)#int s1/2Router( config-if)#en pppRouter( config-if)#ppp authentication papRouter(config-if)#ppp pap sent-username lsy password123

办事处

Router( config)#int s1/2Router( config-if)#en pppRouter( config-if)#ppp authentication papRouter(config-if)#ppp pap sent-username lsy password 123*Aug 19 06:23:48.287: %3LINEPROTO-5-UPDOWN:Line protocol on Interface Seriall/2，changed state

测试ping

Router( config-if)#do ping 192.168.1.2Type escape sequence to abort.Sending 5，100-byte ICMP Echos to 192.168.1.2，timeout is 2 seconds:!!!!!Success rate is 100 percent(5/5)，round-trip min/avg/max = 10/10/13 ms

`

4 chap 单向认证

同理先关闭上面的认证在进行

总部

Router( config-if)#int s1/2Router( config-if)#en pppRouter ( config-if)#ppp authentication chapRouter( config-if)#exitouter( config)#username yy password 22

办事处

Router( config)#int s1/2Router( config-if)#en pppRouter( config-if)#ppp cahRouter( config-if)#ppp chaRouter( config-if)#ppp chap hoRouter( config-if)#ppp chap hostname yyRouter( config-if)#ppRouter( config-if)#ppp chap pRouter( config-if)#ppp chap password 22

办事处测试

Router( config-if)#do ping192.168.1.2Type escape sequence to abort.Sending 5,100-byte ICMP Echos to 192.168.1.2，timeout is 2 seconds:!!!!!Success rate is 100 percent(5/5)，round-trip min/avg/max = 9/9/10 ms

4 chap 双向认证

双方设置认证的用户名为对方设备的hostname，并设置相同的密码

清理单向chap配置

办事处

Router( config)#username zl password 123Router( config)#int s1/2Router( config-if)#en pppRouter( config-if)#ppp authenRouter( config-if)#ppp authentication chapRouter(config-if)#ppp chap hostname lsyRouter( config-if)#no shut*Aug 19 07:10:13.764:%LINEPROTO-5-UPDOMN: Line protocol on Interface Serial1/2，changed state t*Aug 19 07:1i:35.165:%LINEPROTO-5-UPDOWN:Line protocol on Interface Serial1/2，changed state to up

总部

R2(config)#username lsy password 123R2(config)#int s1/2R2(config-if)#en pppR2(config-if#ppp authentication chapR2( config-if)#ppp chap hostname zlR2(config-if)#no shutR2(config-if)#*Aug 1907:11:35.165:%LINEPROTO-5-UPDOWN:Line protocol on Interface Serial1/2，changed state to up

测试

Router( config-if)#do ping192.168.1.2Type escape sequence to abort.Sending 5，100-byte ICMP Echos to 192.168.1.2，timeout is 2 seconds :!!!!!Success rate is 100 percent(5/5)，round-trip min/avg/max = 8/10/13 ms

实验总结

1.pap明文传输和密码，支持双方认证，认证用户名和密码可以不一致2.chap质检握手身份核实（密码被隐藏），在chap双方认证中，双方密码必须保持一致，否则认证失败。

单向和双向验证：CHAP 被定义为单向身份验证方法。然而，您可以在两个方向上使用 CHAP 以创建双向身份验证。因此，通过双向 CHAP，每一端都可以发起单独的三次握手。默认情况下，路由器使用其主机名向对等体标识其身份。然而，可以通过ppp chap hostname命令更改此 CHAP 用户名