Thursday, 29 August 2024

What is PPP PAP and CHAP? How to configure PPP PAP CHAP authentication?

 WAN Protocols


 Higher level Data Link Control Protocol HDLC is a Cisco proprietary WAN protocol that provides reliable delivery of data frames over a network or communication link. HDLC does not support authentication like PPP. HDLC is the default protocol on serial links.

PPP Point-to-Point Protocol is used in serial links, ethernet, frame Relay, atm, etc. PPP is a standard protocol that supports authentication, compression & error correction. PPP is not enabled by default we need to configure this on the serial link. 




Password Authentication Protocol PAP provides a simple and easiest method for a remote node simply to establish and develop its identity. PAP is done only upon initial link establishment. PAP is not a strong authentication protocol because the username and password are sent across the link in clear text. PPP PAP supports almost all the network products in the market today and on different systems. but PAP has some disadvantages like a security risk because username are sent in clear text meaning that they can be easily accessed. PPP PAP offers no protection against replay attacks.

Challenge Handshake Authentication Protocol CHAP is an encrypted authentication method that is required to verify the identity of the peer. Once the PPP link establishment phase is complete. the local router sends a unique "challenge" message to the remote node. the remote node responds with a value (MD5) the local router checks the response against its own calculation of the expected hash value. clear text username MD5 hashed password and also CHAP has the replay protection. 

lets see the configuration of PAP and CHAP:-https://youtu.be/ZXOXJLSXCG4?si=9qrXCMT8GRDlX8pJ

Topology:



Goal: first we configure CHAP authentication between router-1 and router-2, second we configure PAP between router-2 and router-3. in extra, we configure routing between routers. 

  • Configure the topology as per the diagram 
  • Configure the IP addresses as per the topology 
  • make sure interfaces and the default line protocol are UP
  • Configure PPP on serial 5/0
  • Configure CHAP authentication between router-1 and router-2 Serial link 5/0 
  • verify with show commands before and after applying CHAP
  • Configure PAP authentication between router-2 and router-3
  • verify with show commands before and after results.







Site-A-R-(config)#interface serial 5/0
Site-A-R-(config-if)#ip address 192.168.1.1 255.255.255.0
Site-A-R-(config-if)#no shutdown
Site-A-R-(config-if)#exit
 
Site-A-R-(config)#interface fastethernet 0/0
Site-A-R-(config-if)#ip address 10.1.1.1 255.0.0.0
Site-A-R-(config-if)#no shutdown
Site-A-R-(config-if)#exit

 

Headoffice-R-(config)#interface serial 5/0
Headoffice-R-(config-if)#ip address 192.168.1.2 255.255.255.0
Headoffice-R-(config-if)#no shutdown
Headoffice-R-(config-if)#exit
 
Headoffice-R-(config)#interface serial 5/1
Headoffice-R-(config-if)#ip address 192.168.2.1 255.255.255.0
Headoffice-R-(config-if)#no shutdown
Headoffice-R-(config-if)#exit

 

Site-B-R-(config)#interface serial 5/1
Site-B-R-(config-if)#ip address 192.168.2.2 255.255.255.0
Site-B-R-(config-if)#no shutdown
Site-B-R-(config-if)#exit
 
 
Site-B-R-(config)#interface fastethernet 0/0
Site-B-R-(config-if)#ip address 30.1.1.1 255.0.0.0
Site-B-R-(config-if)#no shutdown
Site-B-R-(config-if)#no keepalive
Site-B-R-(config-if)#exit

 

Site-A-R-(config)#router eigrp 1
Site-A-R-(config-router)#network 10.0.0.0
Site-A-R-(config-router)#network 192.168.1.0
Site-A-R-(config-router)#no auto-summary
Site-A-R-(config-router)#exit

Site-B-R-(config)#router eigrp 1
Site-B-R-(config-router)#network 30.0.0.0
Site-B-R-(config-router)#network 192.168.2.0
Site-B-R-(config-router)#no auto-summary
Site-B-R-(config-router)#exit

*Aug 28 17:44:41.883: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.2.1 (Serial5/1) is up: new adjacency

 

Site-A-R-#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up
Serial5/0                  192.168.1.1     YES manual up                    up

 

Headoffice-R-#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Serial5/0                  192.168.1.2     YES manual up                    up
Serial5/1                  192.168.2.1     YES manual up                    up

 

Site-A-R-#show interfaces serial 5/0

Serial5/0 is up, line protocol is up

  Hardware is M4T

  Internet address is 192.168.1.1/24

  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation HDLC, crc 16, loopback not set

  Keepalive set (10 sec)

  Restart-Delay is 0 secs

  Last input 00:00:04, output 00:00:01, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: weighted fair

  Output queue: 0/1000/64/0 (size/max total/threshold/drops)

     Conversations  0/1/256 (active/max active/max total)

     Reserved Conversations 0/0 (allocated/max allocated)

     Available Bandwidth 1158 kilobits/sec

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     212 packets input, 14595 bytes, 0 no buffer

     Received 140 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     242 packets output, 16267 bytes, 0 underruns

     0 output errors, 0 collisions, 2 interface resets

     0 output buffer failures, 0 output buffers swapped out

     3 carrier transitions     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

 




Site-A-R-(config)#interface serial 5/0
Site-A-R-(config-if)#encapsulation PPP

Site-A-R-(config-if)#PPP authentication ?
  chap        Challenge Handshake Authentication Protocol (CHAP)
  eap         Extensible Authentication Protocol (EAP)
  ms-chap     Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
  ms-chap-v2  Microsoft CHAP Version 2 (MS-CHAP-V2)
  pap         Password Authentication Protocol (PAP)
 
Site-A-R-(config-if)#PPP authentication chap
Site-A-R-(config-if)#exit


Site-A-R-(config)#username Headoffice-R- password internetworks
Site-A-R-(config)#end

 *Aug 28 17:52:18.371: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.2 (Serial5/0) is down: interface down
*Aug 28 17:52:21.099: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial5/0, changed state to down

*Aug 28 17:54:43.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial5/0, changed state to up
*Aug 28 17:54:44.035: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.2 (Serial5/0) is up: new adjacency


 

Headoffice-R-(config)#interface serial 5/0
Headoffice-R-(config-if)#encapsulation PPP
Headoffice-R-(config-if)#PPP authentication chap
Headoffice-R-(config-if)#exit

Headoffice-R-(config)#username Site-A-R- password internetworks

*Aug 28 17:53:15.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial5/0, changed state to up
*Aug 28 17:53:16.727: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.1 (Serial5/0) is up: new adjacency


 

 

Site-A-R-# show interface serial 5/0
Serial5/0 is up, line protocol is up
  Hardware is M4T
  Internet address is 192.168.1.1/24
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Open: IPCP, CDPCP, crc 16, loopback not set
  Keepalive set (10 sec)
  Restart-Delay is 0 secs
  Last input 00:00:01, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:02:55
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/1/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     179 packets input, 5542 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     177 packets output, 4729 bytes, 0 underruns
     0 output errors, 0 collisions, 30 interface resets
     0 output buffer failures, 0 output buffers swapped out
     30 carrier transitions     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

 


{Second lab of PAP}


Headoffice-R-#show interface serial 5/1
Serial5/1 is up, line protocol is up
  Hardware is M4T
  Internet address is 192.168.2.1/24
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Restart-Delay is 0 secs
  Last input 00:00:04, output 00:00:04, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/1/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     330 packets input, 21907 bytes, 0 no buffer
     Received 177 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     362 packets output, 25021 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 output buffer failures, 0 output buffers swapped out
     3 carrier transitions     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

 

 

 

Headoffice-R-(config)#interface serial 5/1
Headoffice-R-(config-if)#encapsulation PPP

Headoffice-R-(config-if)#PPP authentication ?
  chap        Challenge Handshake Authentication Protocol (CHAP)
  eap         Extensible Authentication Protocol (EAP)
  ms-chap     Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
  ms-chap-v2  Microsoft CHAP Version 2 (MS-CHAP-V2)
  pap         Password Authentication Protocol (PAP)
 
Headoffice-R-(config-if)#PPP authentication pap
Headoffice-R-(config-if)#PPP pap sent-username Headoffice-R- password google
Headoffice-R-(config-if)#exit
 
Headoffice-R-(config)#username Site-B-R- password google
  
 
 
Site-B-R-#show interface serial 5/1
Serial5/1 is up, line protocol is up
  Hardware is M4T
  Internet address is 192.168.2.2/24
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Open: IPCP, CDPCP, crc 16, loopback not set
  Keepalive set (10 sec)
  Restart-Delay is 0 secs
  Last input 00:00:04, output 00:00:01, output hang never
  Last clearing of "show interface" counters 00:06:14
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/1/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     511 packets input, 14034 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     507 packets output, 12266 bytes, 0 underruns
     0 output errors, 0 collisions, 24 interface resets
     0 output buffer failures, 0 output buffers swapped out
     24 carrier transitions     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

 


Site-B-R-(config)#interface serial 5/1
Site-B-R-(config-if)#encapsulation PPP
Site-B-R-(config-if)#PPP authentication pap
Site-B-R-(config-if)#PPP pap sent-username Site-B-R- password google
Site-B-R-(config-if)#exit
Site-B-R-(config)#end

Site-B-R-(config)#username Headoffice-R- password google


 Site-B-R-#show interface serial 5/1
Serial5/1 is up, line protocol is up
  Hardware is M4T
  Internet address is 192.168.2.2/24
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Open: IPCP, CDPCP, crc 16, loopback not set
  Keepalive set (10 sec)
  Restart-Delay is 0 secs
  Last input 00:00:04, output 00:00:01, output hang never
  Last clearing of "show interface" counters 00:06:14
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/1/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     511 packets input, 14034 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     507 packets output, 12266 bytes, 0 underruns
     0 output errors, 0 collisions, 24 interface resets
     0 output buffer failures, 0 output buffers swapped out
     24 carrier transitions     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up


No comments:

What is layer 3 etherchannel? How to configure layer 3 etherchannel?

EtherChannel technology allows us to bundle multiple physical links into one logical link. It is used to increase the bandwidth and provide ...