How to configure PPP encapsulation and Authentication On Cisco Router
Article will explain how to configure PPP encapsulation on a point-to-point serial link. In addition, the PPP authentication protocol configuration commands are explained.PPP point-to-point Configuration
In the previous section , the LCP configurable options were presented to meet the specific requirements of WAN connections. PPP may include the following LCP options:- Authentication : peers routers exchange authentication messages. The two authentication options are: the Password Authentication Protocol ( PAP ) and the Signal Exchange Authentication Protocol ( CHAP , Challenge Handshake Authentication Protocol).
- Compression : increases the effective performance on PPP connections by reducing the amount of data that must be transferred in the frame through the link. The protocol decompresses the frame when it reaches its destination. Two compression protocols available on Cisco routers are Stacker and Predictor .
- Error detection : identify failures. The quality and magic number options help ensure the establishment of a reliable and loop-free data link. The magic number field helps detect links that are in a loop back condition.
- PPP callback: PPP callback is used to improve security. With this LCP option, a Cisco router can function as a callback client or server. The command is ppp callback [accept | request] .
- Multilink : This alternative provides load balancing through the router interfaces that PPP uses. The multilink PPP protocol, also known as MP, MPPP, MLP or multilink, provides a method to propagate traffic across several physical WAN links while providing fragmentation and reassembly of packets, proper sequencing, interoperability with Several providers and load balancing of incoming and outgoing traffic.
When the options are set, the corresponding field value is inserted in the LCP option field.
Basic Point to point PPP Configuration Command
To Configure PPP as the encapsulation method that uses a serial interface, use the encapsulation ppp interface configuration command .The following example enables PPP encapsulation on the 0/0/0 serial interface:
R3 # configure terminal
R3 (config) # interface serial 0/0/0
R3 (config-if) # encapsulation ppp
The encapsulation ppp interface command has no arguments. Remember that if PPP is not configured on a Cisco router, the default encapsulation for serial interfaces is HDLC .
In Image, it is shown that routers R1 and R2 were configured with an IPv4 address and an IPv6 address on the serial interfaces. PPP is a Layer 2 encapsulation that supports several Layer 3 protocols, including IPv4 and IPv6.
PPP Compression Commands
Point-to-point software compression on serial interfaces can be configured after PPP encapsulation is enabled. Since this option invokes a software compression process, it can affect system performance.If the traffic already consists of compressed files, such as .zip, .tar, or .mpeg, do not use this option.
In Image 2, the syntax of the compress command is shown .
R3 (config) # interface serial 0/0/0
R3 (config-if) # encapsulation ppp
R3 (config-if) # compress [predictor | stac]
PPP LINK QUALITY CONTROL COMMAND
Remember that LCP provides an optional phase of link quality determination. In this phase, LCP tests the link to determine if its quality is sufficient to use Layer 3 protocols.The ppp quality percentage command ensures that the link meets the established quality requirement; otherwise, the link is inactive.
Percentages are calculated for incoming and outgoing addresses.
- The output quality is calculated by comparing the total number of packets and bytes sent with the total number of packets and bytes received by the destination node.
- The input quality is calculated by comparing the total number of packets and bytes received with the total number of packets and bytes sent by the destination node.
If the percentage of the link quality is not maintained, the link is considered of poor quality and deactivated. Link quality control (LQM) implements a time delay so that the link does not bounce back and forth.
The following configuration example controls the discarded data on the link and prevents frames from forming loops, as shown in Image 3:
R3 (config) # interface serial 0/0/0
R3 (config-if) # encapsulation ppp
R3 (config-if) # ppp quality 80
Use the no ppp quality command to disable LQM.
PPP MULTILINK COMMANDS
The PPP multilink protocol (also known as MP, MPPP, MLP or multilink) provides a method to propagate traffic through several physical WAN links.In addition, the multi-link PPP protocol provides fragmentation and reassembly of packets, proper sequencing, interoperability with multiple providers and load balancing of incoming and outgoing traffic.
- MPPP allows fragmenting the packets and sending them simultaneously to the same remote address through several point-to-point links. All physical links are activated in response to a user-defined load threshold.
- MPPP can measure the load only in incoming traffic or only in outgoing traffic, but not the combined load of incoming and outgoing traffic.
The MPPP configuration requires two steps, as shown in Image.
Step 1. Create a multi-link group.
- The multilink number interface command creates the multilink interface.
- In interface configuration mode, an IP address is assigned to the multilink interface. In this example, IPv4 and IPv6 addresses are configured on routers R3 and R4.
- The interface is enabled for the multi-link PPP protocol.
- A multilink group number is assigned to the interface.
Step 2. Assign the interfaces to the multilink group.
Each interface that is part of the multilink group has the following characteristics:
- Enabled for PPP encapsulation.
- It is enabled for multi-link PPP protocol.
- It is linked to the multilink group using the multilink group number configured in step 1.
- To disable the multilink PPP protocol, use the no ppp multilink command .
Verification OF PPP Configurations
Use the show interfaces serial command to verify the PPP or HDLC encapsulation configuration. The result of the command in Image shows a PPP configuration.
When configuring HDLC, the result of the show interfaces serial command must show HDLC encapsulation . When PPP is configured, the LCP and NCP states are also displayed. Note that the NCP IPCP and IPV6CP protocols are open for IPv4 and IPv6, since R1 and R2 were configured with IPv4 and IPv6 addresses.
The following table summarizes the commands used to verify PPP.
| Commands | Description |
|---|---|
| show interfaces | Shows statistics of all interfaces configured on the router. |
| show serial interfaces | Displays information about a serial interface. |
| show ppp multilink | Displays information about a multi-link PPP interface. |
The result indicates the Multilink 1 interface , the host names of the local and remote terminals, and the serial interfaces assigned to the multilink group.
PPP Authentication On Cisco Router
PPP defines an extensible LCP protocol that allows the negotiation of an authentication protocol to authenticate peers before allowing network layer protocols to transmit over the link. RFC 1334 defines two protocols for authentication, PAP and CHAP , which are shown in Image 7.
- PAP is a very basic bidirectional process. There is no encryption. The username and password are sent in unencrypted text. If accepted, connection is allowed.
- CHAP is safer than PAP. It involves a three-way exchange of a shared secret.
The authentication phase of a PPP session is optional. If used, the peer is authenticated after LCP establishes the link and chooses the authentication protocol. If used, authentication occurs before the network layer protocol configuration phase begins.
Authentication options require that the caller link enter the authentication information. This helps ensure that the user has permission from the network administrator to make the call. Peer routers exchange authentication messages.
PASSWORD AUTHENTICATION PROTOCOL (PAP)
One of the various features of PPP is that it performs Layer 2 authentication in addition to other layers of authentication, encryption, access control and general security procedures.PAP START
PAP provides a simple method for a remote node to establish its identity through a bidirectional link. PAP is not interactive.When the ppp authentication pap command is used , the username and password are sent as an LCP data packet, instead of the server sending a login request and waiting for a response.
Once PPP completes the link establishment phase, the remote node repeatedly sends a pair of username and password through the link until the receiving node confirms or terminates the connection.
PAP COMPLETION
On the receiving node, an authentication server that allows or denies the connection verifies the username and password. An acceptance or rejection message is returned to the applicant.
PAP is not a secure authentication protocol. Through PAP, passwords are sent through the link in unencrypted text, and there is no protection against replay attacks or repeated trial and error attacks. The remote node has control of the frequency and timing of login attempts.
However, there are times when the use of PAP is justified. For example, despite its limitations, PAP can be used in the following environments:
- A large installed base of client applications that do not support CHAP
- Incompatibilities between the different CHAP implementations of the providers
- Situations in which an unencrypted text password must be available to simulate a login on the remote host
PPP ENCAPSULATION AND AUTHENTICATION PROCESS
The flowchart of Image 13 can be used to help understand the PPP authentication process when configuring this protocol. The flowchart provides a visual example of the logical decisions PPP makes.
- For example, if an incoming PPP request does not require authentication, PPP advances to the next level. If an incoming PPP request requires authentication, it can be authenticated with the local database or a firewall.
- As shown in the flowchart, if authentication is correct, advance to the next level; instead, if an authentication failure occurs, it is disconnected and the incoming PPP request is discarded.
PPP Authentication Configurations
To specify the order in which the CHAP or PAP protocols are requested on the interface, use the ppp authentication interface configuration command . Use version no of this command to disable this authentication.ppp authentication { chap | chap pap | daddy chap | pap } [if-needed][ list-name | default] [callin]
| Parameter | Description |
|---|---|
| chap | Enable CHAP on a serial interface. |
| dad | Enable PAP on a serial interface. |
| chap dad | Enable CHAP and PAP and perform CHAP authentication before PAP authentication. |
| daddy chap | Enable CHAP and PAP and perform PAP authentication before CHAP. |
| if-needed (optional) | Used with TACACS and XTACACS. Do not perform CHAP or PAP authentication if the user has already provided authentication. This option is available only in asynchronous interfaces. |
| list-name (optional) | Used with AAA / TACACS +. Specifies the name of a list of TACACS + authentication methods to use. If no list name is specified, the system uses the default value. Lists are created with the aaa authentication ppp command . |
| default (optional) | Used with AAA / TACACS +. It is created with the aaa authentication ppp command . |
| callin | Specifies authentication only on incoming (received) calls. |
- PAP authentication requires the remote device to send a name and password to compare them with a matching entry in the local user name database or in the TACACS / TACACS + remote database.
- CHAP authentication sends a challenge to the remote device. The remote device must encrypt the challenge value with a shared secret and return the encrypted value and its name to the local router in a reply message. The local router uses the name of the remote device to search for the corresponding secret in the local username or the remote TACACS / TACACS + database. Use the secret you searched to encrypt the original challenge and verify that the encrypted values match.
Both PAP and CHAP can be enabled. If both methods are enabled, the first method specified during link negotiation is requested. If the peer suggests using the second method or simply rejects the first, you should try the second method.
PPP CONFIGURATION WITH AUTHENTICATION
The procedure described in the table explains how to configure PPP encapsulation and PAP and CHAP authentication protocols. The correct configuration is essential, since CHAP and PAP use these parameters to authenticate.PAP AUTHENTICATION CONFIGURATION
In Image 14, an example of two-way PAP authentication configuration is shown . Both routers authenticate each other, so the PAP authentication commands are reflected.
The username and password PAP sends each router must match those specified with the command username name password password of the other router.
PAP provides a simple method for a remote node to establish its identity through a bidirectional link. This is done only at the establishment of the initial link. The hostname on one router must match the username that the other router configured for PPP. Passwords must also match. To specify the username and password parameters, use the following command: ppp sent-username name password password .
CHAP AUTHENTICATION SETTINGS
CHAP periodically verifies the identity of the remote node through a three-way link protocol. The hostname on one router must match the username that configured the other router.Passwords must also match. This occurs at the establishment of the initial link and can be repeated at any time after the link was established.
Finally in following Image, an example of a CHAP configuration is shown.
No comments:
Post a Comment