PPP provides several basic but important functions that are useful on a leased line that connects two devices, as reviewed in the following list:
■ Definition of a header and trailer that allows delivery of a data frame over the link.
■ Support for both synchronous and asynchronous links
■ A protocol type field in the header, allowing multiple Layer 3 protocols to pass over the same link
■ Built-in authentication tools: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP)
■ Control protocols for each higher-layer protocol that rides over PPP, allowing easier integration and support of those protocols
PPP Link Control Protocol (LCP)
LCP provides four notable features summarized in Table:
PPP Authentication
PAP and CHAP authenticate the endpoints on either end of a point-to-point serial link. CHAP is the preferred method today because the identification process uses values hidden with a Message Digest 5 (MD5) one-way hash, which is more secure than the clear-text passwords sent by PAP.
PPP Configuration and Verification
Basic PPP
Configuring PPP requires only the encapsulation ppp command on both ends of the link.
R1(config)#interface serial 0/0/1
R1(config-if)#ip address 192.168.2.1 255.255.255.0
R1(config-if)#encapsulation ppp
R1(config-if)#clock rate 64000
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/1, changed state to down
R2(config)#interface serial 0/1/1
R2(config-if)#ip address 192.168.2.2 255.255.255.0
R2(config-if)#encapsulation ppp
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/1/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1,
changed state to up
R2(config-if)#endR2#show interfaces serial 0/1/1
Serial0/1/1 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 192.168.2.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
The show interfaces command at the bottom of the example shows the normal output when the link is up and working. A few lines into the output, the highlighted phrases show that PPP is indeed configured, and that LCP has completed its work successfully, as noted with the “LCP Open” phrase. Additionally, the output lists the fact that two CPs, CDPCP and IPCP, have also successfully been enabled—all good indications that PPP is working properly.
CHAP
Although CHAP is optional, it should be configured to provide a secure point-to-point link. The simplest version of CHAP configuration requires only a few commands. The configuration uses a password configured on each router. As an alternative, the password could be configured on an external authentication, authorization, and accounting (AAA) server outside the router. The configuration steps are as follows:
Step 1
Configure the routers hostnames using the hostname name global configuration command.
Step 2
Configure the name of the other router, and the shared secret password, using the username name password password global configuration command.
Step 3
Enable CHAP on the interface on each router using the ppp authentication chap interface subcommand.
R1(config)#username R2 password itsasecret
R1(config)#interface serial 0/0/1
R1(config-if)#ppp authentication chap
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1,
changed state to down
R2(config)#username R1 password itsasecret
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1,
changed state to up
R2(config)#interface serial 0/1/1R2(config-if)#ppp authentication chap
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1,
changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1,
changed state to up
Notice that as soon as CHAP is configured on R1, the interface goes down. Then, on R2, after the password is configured correctly, the interface comes back up. Finally, it goes down briefly before coming back up when CHAP is configured on R2.
The commands themselves are not complicated, but it is easy to misconfigure the hostnames and passwords. Notice that each router refers to the other router’s hostname in the username command, but both routers must configure the same password value. Also, not only are the passwords (itsasecret in this case) case sensitive, but the hostnames, as referenced in the username command, also are also case sensitive.
Because CHAP is a function of LCP, if the authentication process fails, LCP does not complete, and the interface falls to an “up and down” interface state.
PAP
Like CHAP, PAP is optional. You would only use it if one of the devices does not support CHAP. PAP uses the same configuration commands as CHAP, except that the ppp authentication pap command is used instead of ppp authentication chap. The rest of the verification commands work the same, regardless of which of the two types of authentication are used. For example, if PAP authentication fails, LCP fails, and the link settles into an “up and down” state.
Cisco IOS Software also supports the capability to configure the router to first try one authentication method and, if the other side does not respond, try the other option. The full command syntax for the ppp authentication command is as follows:
Router(config-if)#ppp authentication {pap | chap | pap chap | chap pap}
For example, the ppp authentication chap pap interface subcommand tells the router to send CHAP messages, and if no reply is received, to try PAP. Note that the second option is not tried if the CHAP messages flow between the two devices, and the result is that authentication failed. It uses the other option only if the other device does not send back any messages.
biOos
No comments:
Post a Comment