Tuesday, December 6, 2011

PPP BASICS + AUTHENTICATION PAP + CHAP

PPP

  • Is datalink layer  wan encap protocol.
  • Typically the choice between interfaces is ppp or cisco hdlc or frame relay.
  • Cisco hdlc is very basic  wan protocol it provides the encapsulation but does not have many features compared to PPP.
  • HDLC is the default on serial interface less than 2mbs.
  • PPP aswell as wan encapsulation provides support for  addtional features in layer 2 media ethernet framer relay atm
  •  Features they do natively  support such as authentication,multilink,fragmentation addtional relability,compression
  • PPP negotiates starts with LACP exchanging a magic number this a randomly generated number for link id
  • If during this the ppp router recieves back it own magic number it knows there is loop on the line and will pull down the connection
  • After this ppp authentication if configured is negotiated parameters susch as mtu and upper layer protocol negoatiation
  • Upper layer protocols use there own protocols to negotiate IPV4 uses ipcp IPV6 user IPV6CP CDP CDPCP
  • IPCP will send it address accross the link the neighboring will take this address and put in it routing table so effectively even if the neighbors where on different subnets they could communicate as of this host route





This it the ppp frame format with the protocol field specfiying what is the payload datafield i.e is the payload ip etc then the actual encapsulated packet is maintained in the data field

PPP SESSION CREATION LAB

To start i  put debug ppp negotiation on and enable the ppp encapsultion on both interfaces The following is the debug

*Dec  6 21:52:13.091: Se0/1/0 LCP: Timeout: State REQsent
*Dec  6 21:52:13.091: Se0/1/0 LCP: O CONFREQ [REQsent] id 230 len 10
*Dec  6 21:52:13.091: Se0/1/0 LCP:    MagicNumber 0x136D5A5D (0x0506136D5A5D)
*Dec  6 21:52:15.107: Se0/1/0 LCP: Timeout: State REQsent
*Dec  6 21:52:15.107: Se0/1/0 LCP: O CONFREQ [REQsent] id 231 len 10
*Dec  6 21:52:15.107: Se0/1/0 LCP:    MagicNumber 0x136D5A5D (0x0506136D5A5D)
*Dec  6 21:52:17.123: Se0/1/0 LCP: Timeout: State REQsent
*Dec  6 21:52:17.123: Se0/1/0 LCP: O CONFREQ [REQsent] id 232 len 10
*Dec  6 21:52:17.123: Se0/1/0 LCP:    MagicNumber 0x136D5A5D (0x0506136D5A5D)
*Dec  6 21:52:19.139: Se0/1/0 LCP: Timeout: State REQsent
*Dec  6 21:52:19.139: Se0/1/0 LCP: O CONFREQ [REQsent] id 233 len 10
*Dec  6 21:52:19.139: Se0/1/0 LCP:    MagicNumber 0x136D5A5D (0x0506136D5A5D)
*Dec  6 21:52:21.155: Se0/1/0 LCP: Timeout: State REQsent
*Dec  6 21:52:21.155: Se0/1/0 LCP: O CONFREQ [REQsent] id 234 len 10
*Dec  6 21:52:21.155: Se0/1/0 LCP:    MagicNumber 0x136D5A5D (0x0506136D5A5D)
*Dec  6 21:52:23.171: Se0/1/0 LCP: Timeout: State REQsent
*Dec  6 21:52:23.171: Se0/1/0 LCP: O CONFREQ [REQsent] id 235 len 10
*Dec  6 21:52:23.171: Se0/1/0 LCP:    MagicNumber 0x136D5A5D (0x0506136D5A5D)
*Dec  6 21:52:25.187: Se0/1/0 LCP: Timeout: State REQsent
*Dec  6 21:52:25.187: Se0/1/0 LCP: O CONFREQ [REQsent] id 236 len 10
*Dec  6 21:52:25.187: Se0/1/0 LCP:    MagicNumber 0x136D5A5D (0x0506136D5A5D)
*Dec  6 21:52:26.491: Se0/1/0 LCP: I CONFREQ [REQsent] id 1 len 10
*Dec  6 21:52:26.491: Se0/1/0 LCP:    MagicNumber 0x132D5662 (0x0506132D5662)
*Dec  6 21:52:26.491: Se0/1/0 LCP: O CONFACK [REQsent] id 1 len 10
*Dec  6 21:52:26.491: Se0/1/0 LCP:    MagicNumber 0x132D5662 (0x0506132D5662)
*Dec  6 21:52:27.203: Se0/1/0 LCP: Timeout: State ACKsent
*Dec  6 21:52:27.203: Se0/1/0 LCP: O CONFREQ [ACKsent] id 237 len 10
*Dec  6 21:52:27.203: Se0/1/0 LCP:    MagicNumber 0x136D5A5D (0x0506136D5A5D)
*Dec  6 21:52:27.203: Se0/1/0 LCP: I CONFACK [ACKsent] id 237 len 10
*Dec  6 21:52:27.203: Se0/1/0 LCP:    MagicNumber 0x136D5A5D (0x0506136D5A5D)
*Dec  6 21:52:27.203: Se0/1/0 LCP: State is Open
*Dec  6 21:52:27.203: Se0/1/0 PPP: Phase is FORWARDING, Attempting Forward
*Dec  6 21:52:27.207: Se0/1/0 PPP: Queue IPCP code[1] id[1]
*Dec  6 21:52:27.207: Se0/1/0 PPP: Discarded CDPCP code[1] id[1]
*Dec  6 21:52:27.207: Se0/1/0 PPP: Phase is ESTABLISHING, Finish LCP
*Dec  6 21:52:27.207: Se0/1/0 PPP: Phase is UP
*Dec  6 21:52:27.207: Se0/1/0 IPCP: O CONFREQ [Closed] id 1 len 10
*Dec  6 21:52:27.207: Se0/1/0 IPCP:    Address 10.164.48.2 (0x03060AA43002)
*Dec  6 21:52:27.207: Se0/1/0 CDPCP: O CONFREQ [Closed] id 1 len 4
*Dec  6 21:52:27.207: Se0/1/0 PPP: Process pending ncp packets
*Dec  6 21:52:27.207: Se0/1/0 IPCP: Redirect packet to Se0/1/0
*Dec  6 21:52:27.207: Se0/1/0 IPCP: I CONFREQ [REQsent] id 1 len 10
*Dec  6 21:52:27.207: Se0/1/0 IPCP:    Address 10.164.48.3 (0x03060AA43003)
*Dec  6 21:52:27.207: Se0/1/0 IPCP: O CONFACK [REQsent] id 1 len 10
*Dec  6 21:52:27.207: Se0/1/0 IPCP:    Address 10.164.48.3 (0x03060AA43003)
*Dec  6 21:52:27.211: Se0/1/0 CDPCP: I CONFACK [REQsent] id 1 len 4
*Dec  6 21:52:27.211: Se0/1/0 IPCP: I CONFACK [ACKsent] id 1 len 10
*Dec  6 21:52:27.211: Se0/1/0 IPCP:    Address 10.164.48.2 (0x03060AA43002)
*Dec  6 21:52:27.211: Se0/1/0 IPCP: State is Open
*Dec  6 21:52:27.211: Se0/1/0 IPCP: Install route to 10.164.48.3
*Dec  6 21:52:27.211: Se0/1/0 IPCP: Add link info for cef entry 10.164.48.3
*Dec  6 21:52:28.491: Se0/1/0 PPP: Outbound cdp packet dropped
*Dec  6 21:52:28.491: Se0/1/0 IPCP: Install route to 10.164.48.3
*Dec  6 21:52:28.495: Se0/1/0 IPCP: Add link info for cef entry 10.164.48.3
*Dec  6 21:52:29.203: Se0/1/0 CDPCP: I CONFREQ [ACKrcvd] id 2 len 4
*Dec  6 21:52:29.203: Se0/1/0 CDPCP: O CONFACK [ACKrcvd] id 2 len 4
*Dec  6 21:52:29.203: Se0/1/0 CDPCP: State is Open
*Dec  6 21:52:29.479: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/0,
changed state to up
*Dec  6 21:52:54.279: %SYS-5-CONFIG_I: Configure

When we bring up the ppp interface the physical is connected then ppp negotiations start using LCP
both sides exchanging a magic number. Each side randomly generates a magic number it is done with an
algothirm. This magic number is in relation to the interface the number is then sent to ppp neighbor and they agree on their magic number. if a interface recieves back it own magic number it  know that there is a layer 2 loop on the line.If this happens it reacts by taking down the line

PPP use lcp (link control protocol) the purpose of this protocol is to negotiate stuff
authentication,  mtu etc then the upper layer protocols have there own negoation.(ip address routing etc)
For IPV4- IPCP (internet protocol control)
For IPV6- IPV6CP
fro CDP - CDPCP
so on

On the above output
1)the physical connect is open via ppp
2)then ppp lcp negotiates and exchanges the magic number it would be here ppp authentication
would occur if configured
3)then the upper layer protocol ipcp negotiates the use of ipv4 and send it address 10.164.48.3 to the neighbor on the linkit also recieves the neighbors address 10.164.48.2. By default PPP then puts a peer neighbor route for this neighbor address in the route table
4)then the line goes up PPP is UP UP

the peer neighbor route is a feature of ppp when the negotiation takes place it puts a
host route in the router table for the neighbor ip address.
This could be on completely different subnet. So in ppp it possible two neighbors on different subnets could
communicate and ping etc.

PPP Authentication

There are 2 main types of authentication for ppp

  • PAP which password authentication protocol- password + username sent in clear txt

  • CHAP (challenge handshake Authentication Protocol)- clear text username but md5 hashed password
you may also see different vendor version chap like microsoft ms chap v1 + 2 or EAP

Authencaction can be one way i.e authentication required for 1 router connecting in to
another or bidirectional both sides needed to authenticate each other


PAP COMMANDS

Authentication is in a 3 step process on

the router that will be authenticating it performs an
1) Authentication Request
i
nt s0/0
ppp authentication pap    - sets an interface to generate a request when a connection
attempt is made
2) Authentication response
The neighbor router responds to the authenication request with a username and password

ppp pap sent-username eoghan password 0 cisco - setting a password to authenticate with.

3)Authourization whether the authencation is correct permitted or denied. The authentication works of the local database unless you have aaa configured where it will work of the aaa server

username eoghan password eoghan
After the ppp link establishment phase is done  username and password pair is sent across the link repeately till either  the authentication is acknowledged or the connection terminated.
PAP is not secure username + password are sent in clear text                           

CHAP COMMANDS

R1

int s0/0
encap ppp
ppp authentication chap - setting to chap authentication

username r2 password cisco

R2

int s0/0
encap ppp
ppp authentication chap

username r1 password cisco

by default the chap username is set to the sending host router id/hostname if you do not want username we could do

int s0/0
encap ppp
ppp authentication chap
ppp chap password cisco   - this will accept any username as long as the password is cisco





LAB

so r5 i have configured the following
r5#sh run int s0/1/0
Building configuration...
Current configuration : 110 bytes
!
interface Serial0/1/0
 ip address 10.164.48.2 255.255.255.0
 encapsulation ppp
 ppp authentication pap
end
on r4 i have configured the following
r4#sh run interface s0/1/0
Building configuration...
Current configuration : 167 bytes
!
interface Serial0/1/0
 ip address 10.164.48.3 255.255.255.0
 encapsulation ppp
 no keepalive
 clock rate 2000000
 ppp pap sent-username eoghan password 0 cisco
The line protocl is still down

Serial0/1/0                10.164.48.3     YES manual up                    down
on debug ppp authentication on r4
*Dec  6 22:14:29.987: Se0/1/0 LCP: State is Open
*Dec  6 22:14:29.987: Se0/1/0 PPP: Phase is AUTHENTICATING, by this end
*Dec  6 22:14:29.991: Se0/1/0 PAP: I AUTH-REQ id 35 len 17 from "eoghan"
*Dec  6 22:14:29.991: Se0/1/0 PAP: Authenticating peer eoghan
*Dec  6 22:14:29.991: Se0/1/0 PPP: Phase is FORWARDING, Attempting Forward
*Dec  6 22:14:29.991: Se0/1/0 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Dec  6 22:14:29.991: Se0/1/0 PPP: Sent PAP LOGIN Requestting peer eoghan
*Dec  6 22:14:25.959: Se0/1/0 PPP: Phase is FORWARDING, Attempting Forward
*Dec  6 22:14:25.959: Se0/1/0 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Dec  6 22:14:25.959: Se0/1/0 PPP: Sent PAP LOGIN Request
I see it trying to authenticate peer eoghan my username but keep giving
unauthenticated as the user is not in the local database of r5

r5(config)#username eoghan password cisco
r5(config)#exit
r5#
*Dec  6 22:19:06.787: %SYS-5-CONFIG_I: Configured from console by console
*Dec  6 22:19:07.139: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/0,
changed state to up
the minute i configure the username + password locally on the router the line protocol
comes up

PPP CHAP Authentication

This time we will look at CHAP the md5 authentication. So username sent as clear text password sent as md5 hash.


So on r5 i have enabled chap
interface Serial0/1/0
 ip address 10.164.48.2 255.255.255.0
 encapsulation ppp
 ppp authentication chap
end
Serial0/1/0                10.164.48.2     YES manual up                    down
line protocol is gone down



*Dec  6 22:23:31.119: Se0/1/0 LCP: State is Open
*Dec  6 22:23:31.119: Se0/1/0 PPP: Phase is AUTHENTICATING, by this end
*Dec  6 22:23:31.119: Se0/1/0 CHAP: O CHALLENGE id 58 len 23 from "r5"
*Dec  6 22:23:31.119: Se0/1/0 LCP: I TERMREQ [Open] id 65 len 4
*Dec  6 22:23:31.119: Se0/1/0 LCP: O TERMACK [Open] id 65 len 4
*Dec  6 22:23:31.119: Se0/1/0 PPP: Sending Acct Event[Down] id[10A]
*Dec  6 22:23:31.119: Se0/1/0 PPP: Phase is TERMINATING
*Dec  6 22:23:33.123: Se0/1/0 LCP: Timeout: State TERMsent
*Dec  6 22:23:33.123: Se0/1/0 LCP: State is Closed
*Dec  6 22:23:33.123: Se0/1/0 PPP: Phase is DOWN

From the debug it keeps sending a challenge for username r5. This is typical chap
behaviour the username been challenged defaults to the hostname of the router doing the
challenge. R4 does not have a username + password for username r5 so i will put a
username and password for this.
so i have configured
r4(config)#username r5 password cisco
r4(config)#exit
Serial0/1/0                10.164.48.3     YES manual up                    down
line protocol is still down
from the debug on r4

r4#
*Dec  6 22:13:54.035: Se0/1/0 PPP: Authorization required
*Dec  6 22:13:54.035: Se0/1/0 PPP: No authorization without authentication
*Dec  6 22:13:54.039: Se0/1/0 CHAP: I CHALLENGE id 168 len 23 from "r5"
*Dec  6 22:13:54.039: Se0/1/0 CHAP: Using hostname from unknown source
*Dec  6 22:13:54.039: Se0/1/0 CHAP: Using password from AAA
*Dec  6 22:13:54.039: Se0/1/0 CHAP: O RESPONSE id 168 len 23 from "r4"
*Dec  6 22:13:54.043: Se0/1/0 CHAP: I FAILURE id 168 len 25 msg is "Authentication
failed"
r4#
*Dec  6 22:13:58.067: Se0/1/0 PPP: Authorization required
*Dec  6 22:13:58.067: Se0/1/0 PPP: No authorization without authentication
*Dec  6 22:13:58.071: Se0/1/0 CHAP: I CHALLENGE id 169 len 23 from "r5"
*Dec  6 22:13:58.071: Se0/1/0 CHAP: Using hostname from unknown source
*Dec  6 22:13:58.071: Se0/1/0 CHAP: Using password from AAA
*Dec  6 22:13:58.071: Se0/1/0 CHAP: O RESPONSE id 169 len 23 from "r4"
*Dec  6 22:13:58.075: Se0/1/0 CHAP: I FAILURE id 169 len 25 msg is "Authentication
failed"u all
All possible debugging has been turned off
r4#
r4#
it keeps giving errors in regard to expecting a response from the username r4. As r4
username is not configured it keeps failing.
when i go on r5
r5#config t
Enter configuration commands, one per line.  End with CNTL/Z.
r5(config)#username r4 password cisco
r5(config)#
*Dec  6 22:30:17.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/0,
changed state to up
when i configure the username r4 it goes up up

basically you need to configure each side with the password in relation to the
requesting hostname. The reason r5 is authenticating r4 so it looks at it r4 username
in the database as the password is not been sent clear text the router needs something
to compare the md5 hash password been sent by r4. So what r5 does is  make a md5 hash
of the password in relation to r4 username in it database if they match it will allow
the connection.

You can also do it another way
interface Serial0/1/0
 ip address 10.164.48.2 255.255.255.0
 encapsulation ppp
 ppp authentication chap
 ppp chap password 0 cisco
end

Is to configure the password on the interface any router can connect with any username
as long as the md5 password matches the md5 hash of ppp chap password on the interface
it is like a default for any connection in.
One of things to watch out for when setting the password do not set as secret either
set it as basic or encryption level 7 as if it is anything else the cisco router will
have a problem doing md5 hash with it.

No comments:

Post a Comment