PPP认证之CHAP
CHAP认证规则: 1.验证端 -接口有无用户名,都可以 -如有用户名,则必须与认证端的接口的用户名配置相同 2.被验证端 -接口上必须有用户名和密码 -接口上可以没有密码,但是前提是aaa数据库中必须有密码
查看接口命令:
display int pos6/0/0 修改ppp协议命令 link-protocol ppp
[R1-aaa] local-user Cisco password cipher CCIE local-user Cisco service-type ppp aaa模式下设定用户名密码和ppp服务协议 [R1-Pos6/0/0] ppp authentication-mode chap ppp chap user Ciso ppp chap password cipher CCIE
接口下设定chap认证模式 设定chap用户名cisco
[R2-Pos6/0/0]
ppp authentication-mode chap
ppp chap user Cisco
ppp chap password cipher CCIE
接口下设定chap用户名,和密码
undo ppp chap user
删除用户名无法连接,建立AAA认证删除密码可以接通
3 案例3:CHAP 认证配置 3.1 问题 如图配置 设备 IP 地址 配置 R1 为认证端,R2为被认证端 认证方式为 CHAP,用户名为 Cisco ,密码为 CCIE 3.2 方案 搭建实验环境,如图-3所示。
图-3
3.3 步骤 实现此案例需要按照如下步骤进行。
1)配置接口IP地址
<Huawei>undo terminal monitor <Huawei>system-view [Huawei]sysname R1 [R1]interface Pos 6/0/0 [R1-Pos6/0/0]ip address 100.1.1.1 24 [R1-Pos6/0/0]quit <Huawei>undo terminal monitor <Huawei>system-view [Huawei]sysname R2 [R2]interface Pos 6/0/0 [R2-Pos6/0/0]ip address 100.1.1.2 24 [R2-Pos6/0/0]quit 2)配置被认证端 – R2
[R2]interface Pos 6/0/0 [R2-Pos6/0/0] ppp chap user Cisco [R2-Pos6/0/0] ppp chap password cipher CCIE [R2-Pos6/0/0] quit 3)配置认证端 – R1
[R1]aaa [R1-aaa]local-user Cisco password cipher CCIE [R1-aaa]local-user Cisco service-type ppp [R1-aaa]quit [R1]interface Pos 6/0/0 [R1-Pos6/0/0]ppp authentication-mode chap [R1-Pos6/0/0]ppp chap user Cisco [R1-Pos6/0/0]quit 4)测试 R1与R2之间的互通性
[R1]interface Pos 6/0/0 [R1-Pos6/0/0]shutdown [R1-Pos6/0/0]undo shutdown <R1>ping 100.1.1.2 PING 100.1.1.2: 56 data bytes, press CTRL_C to break Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=255 time=50 ms Reply from 100.1.1.2: bytes=56 Sequence=2 ttl=255 time=20 ms Reply from 100.1.1.2: bytes=56 Sequence=3 ttl=255 time=20 ms Reply from 100.1.1.2: bytes=56 Sequence=4 ttl=255 time=20 ms Reply from 100.1.1.2: bytes=56 Sequence=5 ttl=255 time=20 ms --- 100.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 20/26/50 ms
