CHAP Hitelesítés
of 5
-
Upload
christopher-gray -
Category
Documents
-
view
223 -
download
0
Transcript of CHAP Hitelesítés
-
8/10/2019 CHAP Hitelests
1/5
Transactional ExampleThe diagrams in this section show the series of events that occur during a CHAP authentication between two routers. These do notrepresent the actual messages seen in the debug ppp negotiation command output. For more information, refer to Understandingdebug ppp negotiation Output .
Call
Figure 2 The Call Comes In
Figure shows these steps!
". The call comes in to #$%&'". The incoming interface is configured with the ppp authentication chap command.
. (CP negotiates CHAP and )*+. For more information on how to determine this, refer to Understanding the debug pppnegotiation Output .
#. A CHAP challenge from #$%&'" to the calling router is re uired on this call.
Challenge
Figure 3 A CHAP Challenge Packet is uilt
Figure # illustrates these steps in the CHAP authentication between the two routers!
". A CHAP challenge pac-et is built with these characteristics!o &" challenge pac-et t/pe identifier.
o 0* se uential number that identifies the challenge.
o random a reasonabl/ random number generated b/ the router.
o #$%&'" the authentication name of the challenger.
. The 0* and random values are -ept on the called router.
#. The challenge pac-et is sent to the calling router. A list of outstanding challenges is maintained.
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800ae945.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800ae945.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig2http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig2http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800ae945.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800ae945.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800ae945.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800ae945.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig3http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig3http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig2http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800ae945.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800ae945.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig3http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800ae945.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800ae945.shtml -
8/10/2019 CHAP Hitelests
2/5
!esponse
Figure " !eceipt and #$% Processing o& the Challenge Packet &rom the Peer
Figure % illustrates the how the challenge pac-et is received from the peer, and processed 1)*+2.
". The 0* value is fed into the )*+ hash generator.. The random value is fed into the )*+ hash generator.
#. The name #$%&'" is used to loo- up the password. The router loo-s for an entr/ that matches the username in thechallenge. 0n this e3ample, it loo-s for!
766-1(config)#username 3640-1 password pc1%. The password is fed into the )*+ hash generator.
The result is the one'wa/ )*+'hashed CHAP challenge that is sent bac- in the CHAP response.
Figure % The CHAP !esponse Packet 'ent to the Authenticator is uilt(
". The response pac-et is assembled from these components!o & CHAP response pac-et t/pe identifier.
o 0* copied from the challenge pac-et.
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig4http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig4http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig4 -
8/10/2019 CHAP Hitelests
3/5
o hash the output from the )*+ hash generator 1the hashed information from the challenge pac-et2.
o 4$$'" the authentication name of this device. This is needed for the peer to loo- up the username and passwordentr/ needed to verif/ identit/ 1this is e3plained in more detail in the 5erif/ CHAP section2.
. The response pac-et is then sent to the challenger.
)eri&* CHAP The Challenger Processes the !esponse Packet
Figure $ shows how the challenger processes the response pac-et. Here are the steps involved on the authenticator!
". The 0* is used to find the original challenge pac-et.. The 0* is fed into the )*+ hash generator.
#. The original challenge random value is fed into the )*+ hash generator.
%. The name 4$$'" is used to loo- up the password from one of these sources!
o (ocal username and password database.
o 6A*0U7 or TACAC78 server.
+. The password is fed into the )*+ hash generator.
$. The hash value received in the response pac-et is then compared with the calculated )*+ hash value. CHAP authenticationsucceeds if the calculated and the received hash values are e ual.
!esult 'uccess #essage is 'ent to the Calling !outer
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#verifyhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#verifyhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#verifyhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig6http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig6http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#verifyhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig6 -
8/10/2019 CHAP Hitelests
4/5
Figure 4 illustrates the success message sent to the calling router. 0t involves these steps!
". 0f authentication is successful, a CHAP success pac-et is built from these components!o CHAP success message t/pe.
o 0* copied from the response pac-et.
o 9:elcome in; is simpl/ a te3t message that provides a user'readable e3planation.
. 0f authentication fails, a CHAP failure pac-et is built from these components!
o &% CHAP failure message t/pe.
o 0* copied from the response pac-et.
o 9Authentication failure; or other te3t message, that provides a user'readable e3planation.
#. The success or failure pac-et is then sent to the calling router.
CHAP Con&iguration Commands and +ptionsTable lists the CHAP commands and options!
Table 2 CHAPCommands and+ptions
Command
$escription
ppp authentication, chap | ms-chap |ms-chap-v2 | eap |
pap - . callin /
This command enables local authentication of theremote PPP peer with the specified protocol.
ppp chap hostnameusername
This command defines an interface'specific CHAPhostname. 6efer to PPP Authentication Using the pppchap hostname and ppp authentication chap callinCommands for more information.
ppp chap pass0ord password
This command defines an interface'specific CHAPpassword.
ppp direction callin |
callout | dedicated
This command forces a call direction. Use this command
when a router is confused as to whether the call isincoming or outgoing 1for e3ample, when connected
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig7http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig7http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#table1%23table1http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#table1%23table1http://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_example09186a0080094333.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_example09186a0080094333.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_example09186a0080094333.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#fig7http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml#table1%23table1http://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_example09186a0080094333.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_example09186a0080094333.shtmlhttp://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_example09186a0080094333.shtml -
8/10/2019 CHAP Hitelests
5/5
bac-'to'bac- or connected b/ leased lines and theChannel 7ervice Unit or *ata 7ervice Unit 1C7U
