Transactional Example

The diagrams in this section show the series of events that occur during a CHAP authentication between two routers. These do not represent the actual messages seen in the debug ppp negotiation command output. For more information, refer toUnderstanding debug ppp negotiation Output.

Call

Figure 2 – The Call Comes In

CHAP认证过程_chap

Figure 2 shows these steps:

  1. The call comes in to 3640-1. The incoming interface is configured with the ppp authentication chap command.

  2. LCP negotiates CHAP and MD5. For more information on how to determine this, refer to Understanding the debug ppp negotiation Output.

  3. A CHAP challenge from 3640-1 to the calling router is required on this call.

Challenge

Figure 3 – A CHAP Challenge Packet is Built

CHAP认证过程_chap_02

Figure 3 illustrates these steps in the CHAP authentication between the two routers:

  1. A CHAP challenge packet is built with these characteristics:

    • 01 = challenge packet type identifier.

    • ID = sequential number that identifies the challenge.

    • random = a reasonably random number generated by the router.

    • 3640-1 = the authentication name of the challenger.

  2. The ID and random values are kept on the called router.

  3. The challenge packet is sent to the calling router. A list of outstanding challenges is maintained.

Response

Figure 4 – Receipt and MD5 Processing of the Challenge Packet from the Peer

CHAP认证过程_chap_03

 

Figure 4 illustrates the how the challenge packet is received from the peer, and processed (MD5). The router processes the incoming CHAP challenge packet in this way:

  1. The ID value is fed into the MD5 hash generator.

  2. The random value is fed into the MD5 hash generator.

  3. The name 3640-1 is used to look up the password. The router looks for an entry that matches the username in the challenge. In this example, it looks for:

    username 3640-1 password pc1

  4. The password is fed into the MD5 hash generator.

    The result is the one-way MD5-hashed CHAP challenge that is sent back in the CHAP response.

Response (continued)

Figure 5 – The CHAP Response Packet Sent to the Authenticator is Built.

CHAP认证过程_chap_04

 

Figure 5 illustrates how the CHAP response packet sent to the authenticator is built. This diagram shows these steps:

  1. The response packet is assembled from these components:

    • 02 = CHAP response packet type identifier.

    • ID = copied from the challenge packet.

    • hash = the output from the MD5 hash generator (the hashed information from the challenge packet).

    • 766-1 = the authentication name of this device. This is needed for the peer to look up the username and password entry needed to verify identity (this is explained in more detail in the Verify CHAP section).

  2. The response packet is then sent to the challenger.

Verify CHAP

This section provides tips on how to verify your configuration.

Figure 6 – The Challenger Processes the Response Packet

CHAP认证过程_chap_05

Figure 6 shows how the challenger processes the response packet. Here are the steps involved when the CHAP response packet is processed (on the authenticator):

  1. The ID is used to find the original challenge packet.

  2. The ID is fed into the MD5 hash generator.

  3. The original challenge random value is fed into the MD5 hash generator.

  4. The name 766-1 is used to look up the password from one of these sources:

    • Local username and password database.

    • RADIUS or TACACS+ server.

  5. The password is fed into the MD5 hash generator.

  6. The hash value received in the response packet is then compared with the calculated MD5 hash value. CHAP authentication succeeds if the calculated and the received hash values are equal.

Result

Figure 7 – Success Message is Sent to the Calling Router

CHAP认证过程_chap_06

Figure 7 illustrates the success message sent to the calling router. It involves these steps:

  1. If authentication is successful, a CHAP success packet is built from these components:

    • 03 = CHAP success message type.

    • ID = copied from the response packet.

    • “Welcome in” is simply a text message that provides a user-readable explanation.

  2. If authentication fails, a CHAP failure packet is built from these components:

    • 04 = CHAP failure message type.

    • ID = copied from the response packet.

    • “Authentication failure” or other text message, that provides a user-readable explanation.

  3. The success or failure packet is then sent to the calling router.

    Note: This example depicts a one-way authentication. In a two-way authentication, this entire process is repeated. However the calling router initiates the initial challenge.



    转自:http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml

    //略做修改