拓补如上
 
PAPPassword Authentication Protocol,口令认证协议)实例配置:
 
R1
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#HOstname R1
R1(config)#interface s1/0
R1(config-if)#ip address 12.1.1.1 255.255.255.0
R1(config-if)#encapsulation ppp     --封装协议PPP
R1(config-if)#no sh
R1(config-if)#ppp authentication pap     --PPP认证类型PAP
R1(config-if)#exit
R1(config)#username cisco password cisco     --建立本地用户作为对端的身份认证用户
R1(config)#end
R1#
 
 
 
 
R2
 
Router>
Router>en
Router#conf t
Router(config)#hostname R2
R2(config)#interface s1/0
R2(config-if)#encapsulation ppp
R2(config-if)#ip address 12.1.1.2 255.255.255.0
R2(config-if)#no sh
 
R2(config-if)#ppp pap sent-username cisco password cisco    --设置对端用户密码
R2(config-if)#end
 
验证:
r1(config-if)#
6d00h: Se1 PPP: Treating connection as a dedicated line
6d00h: Se1 LCP: O CONFREQ [Closed] id 87 len 14
6d00h: Se1 LCP:    AuthProto PAP (0x0304C023)
6d00h: Se1 LCP:    MagicNumber 0x1F1A390F (0x05061F1A390F)
6d00h: Se1 PPP: I pkt type 0xC021, datagramsize 14
6d00h: Se1 PPP: I pkt type 0xC021, datagramsize 18
6d00h: Se1 LCP: I CONFREQ [REQsent] id 34 len 10
6d00h: Se1 LCP:    MagicNumber 0xFFBD6ADC (0x0506FFBD6ADC)
6d00h: Se1 LCP: O CONFACK [REQsent] id 34 len 10
6d00h: Se1 LCP:    MagicNumber 0xFFBD6ADC (0x0506FFBD6ADC)
6d00h: Se1 LCP: I CONFACK [ACKsent] id 87 len 14
6d00h: Se1 LCP:    AuthProto PAP (0x0304C023)
6d00h: Se1 LCP:    MagicNumber 0x1F1A390F (0x05061F1A390F)
6d00h: Se1 PPP: I pkt type 0xC023, datagramsize 20
6d00h: Se1 PAP: I AUTH-REQ id 3 len 16 from "cisco"
d00h: Se1 PAP: Authenticating peer cisco 6
6d00h: Se1 PAP: O AUTH-ACK id 3 len 5
6d00h: Se1 IPCP: O CONFREQ [Closed] id 3 len 10
6d00h: Se1 PPP: I pkt type 0x8021, datagramsize 14
6d00h: Se1 PPP: I pkt type 0x8207, datagramsize 8
6d00h: Se1 IPCP:    Address 12.1.1.1 (0x03060C010101)
6d00h: Se1 CDPCP: O CONFREQ [Closed] id 3 len 4
6d00h: Se1 PPP: I pkt type 0x8021, datagramsize 14
6d00h: Se1 PPP: I pkt type 0x8207, datagramsize 8
6d00h: Se1 IPCP: I CONFREQ [REQsent] id 3 len 10
6d00h: Se1 IPCP:    Address 12.1.1.2 (0x03060C010102)
6d00h: Se1 IPCP: O CONFACK [REQsent] id 3 len 10
6d00h: Se1 IPCP:    Address 12.1.1.2 (0x03060C010102)
6d00h: Se1 CDPCP: I CONFREQ [REQsent] id 3 len 4
6d00h: Se1 CDPCP: O CONFACK [REQsent] id 3 len 4
6d00h: Se1 IPCP: I CONFACK [ACKsent] id 3 len 10
6d00h: Se1 IPCP:    Address 12.1.1.1 (0x03060C010101)
6d00h: Se1 CDPCP: I CONFACK [ACKsent] id 3 len 4
6d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up
6d00h: Se1 PPP: I pkt type 0x0207, datagramsize 279
6d00h: Se1 PPP: I pkt type 0x0207, datagramsize 279
6d00h: Se1 PPP: I pkt type 0x0207, datagramsize 279
 
 
 
CHAPChallenge Handshake Authentication Protocol,质询握手认证协议)实例配置:
R1
 
r1(config)#
r1(config)#interface s1/0
r1(config-if)#ip address 12.1.1.1 255.255.255.0
r1(config-if)#encapsulation ppp
r1(config-if)#ppp authentication chap     --PPP认证CHAP
r1(config-if)#ppp chap hostname r1      --hostname指对方所要建立的用户名
r1(config-if)#no sh
r1(config-if)#exit
r1(config)#username r2 password cisco    --建立对方指定用户帐户
r1(config)#
 
 
R2
 
r2(config)#interface s1/0
r2(config-if)#ip address 12.1.1.2 255.255.255.0
r2(config-if)#no sh
r2(config-if)#encapsulation ppp
r2(config-if)#ppp authentication chap
r2(config-if)#ppp chap hostname r2       
r2(config-if)#exit
r2(config)#username r1 password cisco
r2(config)#
 
注意:我用颜色注明的,两边是吻合的,因为CHAP是两边互相建立对方的指定的帐户,如果没有手到指定,默认是用HOSTNAME作为用户名。
 
 
验证:
6d01h: Se1 PPP: Outbound cdp packet dropped, line protocol not up
6d01h: Se1 PPP: Outbound cdp packet dropped, line protocol not up
6d01h: Se1 PPP: Outbound cdp packet dropped, line protocol not up
6d01h: Se1 PPP: I pkt type 0xC021, datagramsize 19
6d01h: Se1 LCP: I CONFREQ [Closed] id 13 len 15
6d01h: Se1 LCP:    AuthProto CHAP (0x0305C22305)
6d01h: Se1 LCP:    MagicNumber 0xFFCD7512 (0x0506FFCD7512)
6d01h: Se1 PPP: Treating connection as a dedicated line
6d01h: Se1 LCP: O CONFREQ [Closed] id 38 len 15
6d01h: Se1 LCP:    AuthProto CHAP (0x0305C22305)
6d01h: Se1 LCP:    MagicNumber 0x1F2A4361 (0x05061F2A4361)
6d01h: Se1 LCP: O CONFACK [REQsent] id 13 len 15
6d01h: Se1 LCP:    AuthProto CHAP (0x0305C22305)
6d01h: Se1 PPP: I pkt type 0xC021, datagramsize 19
6d01h: Se1 LCP:    MagicNumber 0xFFCD7512 (0x0506FFCD7512)
6d01h: Se1 LCP: I CONFACK [ACKsent] id 38 len 15
6d01h: Se1 LCP:    AuthProto CHAP (0x0305C22305)
6d01h: Se1 LCP:    MagicNumber 0x1F2A4361 (0x05061F2A4361)
6d01h: Se1 PPP: I pkt type 0xC223, datagramsize 27
6d01h: Se1 CHAP: Using alternate hostname r1
6d01h: Se1 CHAP: O CHALLENGE id 2 len 23 from "r1"
6d01h: Se1 CHAP: I CHALLENGE id 2 len 23 from "r2"
6d01h: %LINK-3-UPDOWN: Interface Serial1, changed state to up
6d01h: Se1 CHAP: Using alternate hostname r1
6d01h: Se1 PPP: I pkt type 0xC223, datagramsize 27
6d01h: Se1 CHAP: O RESPONSE id 2 len 23 from "r1"
6d01h: Se1 CHAP: I RESPONSE id 2 len 23 from "r2"
6d01h: Se1 CHAP: O SUCCESS id 2 len 4
6d01h: Se1 PPP: I pkt type 0xC223, datagramsize 8
6d01h: Se1 CHAP: I SUCCESS id 2 len 4
6d01h: Se1 PPP: I pkt type 0x8021, datagramsize 14
6d01h: Se1 PPP: I pkt type 0x8207, datagramsize 8
6d01h: Se1 IPCP: O CONFREQ [Closed] id 2 len 10
6d01h: Se1 IPCP:    Address 12.1.1.1 (0x03060C010101)
6d01h: Se1 CDPCP: O CONFREQ [Closed] id 2 len 4
6d01h: Se1 PPP: I pkt type 0x8021, datagramsize 14
6d01h: Se1 PPP: I pkt type 0x8207, datagramsize 8
6d01h: Se1 IPCP: I CONFREQ [REQsent] id 2 len 10
6d01h: Se1 IPCP:    Address 12.1.1.2 (0x03060C010102)
6d01h: Se1 IPCP: O CONFACK [REQsent] id 2 len 10
6d01h: Se1 IPCP:    Address 12.1.1.2 (0x03060C010102)
6d01h: Se1 CDPCP: I CONFREQ [REQsent] id 2 len 4
6d01h: Se1 CDPCP: O CONFACK [REQsent] id 2 len 4
6d01h: Se1 IPCP: I CONFACK [ACKsent] id 2 len 10
6d01h: Se1 IPCP:    Address 12.1.1.1 (0x03060C010101)
6d01h: Se1 CDPCP: I CONFACK [ACKsent] id 2 len 4
6d01h: Se1 PPP: I pkt type 0x0207, datagramsize 279
6d01h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up
6d01h: Se1 PPP: I pkt type 0x0207, datagramsize 279
6d01h: Se1 PPP: I pkt type 0x0207, datagramsize 279
 
 
总结:
PPP的两种认证方式对比, 一种是PAP,一种是CHAP。相对来说PAP的认证方式安全性没有CHAP高。PAP在传输password是明文的,而CHAP在传输过程中不传输密码,取代密码的是hash(哈希值)。PAP认证是通过两次握手实现的,而CHAP则是通过3次握手实现的。PAP认证是被叫提出连接请求,主叫响应。而CHAP则是主叫发出请求,被叫回复一个数据包,这个包里面有主叫发送的随机的哈希值,主叫在数据库中确认无误后发送一个连接成功的数据包连接。