As more and more small organizations use WAN to connect branches. Due to the shortcomings of dedicated lines (ordinary rental lines and DDNs) in terms of price, flexibility, etc., various switching networks can be used, such as telephone dialing, ISDNs, etc.
However, there are security issues with dial-up access methods. In the dial-up access servers commonly used on the Internet, various password authentication is generally used to solve the problem. Usually used are PAP and CHAP.
Safety certification mechanism
The main working principle of PAP authentication is that when machine A wants to connect machine B through the PPP protocol, and machine B has set up PAP authentication, when machine A dials B, sends its name and password to machine B. After B finds that the password matches the name from its own user database, A and B can continue to negotiate IP address, otherwise B will cut off the line.
The PAP protocol is only performed in the connection establishment stage, and PAP authentication is not performed in the data transmission stage.
The main principle of CHAP authentication is that when machine A wants to connect machine B through the PPP protocol, and machine B sets up CHAP authentication, when machine A dials B, machine B sends a piece of random data and its own name to A. A finds the password based on this name, and uses it to encrypt the received random data through the MD5 algorithm to obtain a 16-byte encryption result. Then A sends the result and B's own name to B. After receiving the report, B first checks A's password, and uses this password to encrypt the random data sent previously through the MD5 algorithm and compares the encryption results calculated by himself with the encryption results received from A. If it is consistent, A and B can continue to negotiate, otherwise B will cut off the line.
The CHAP protocol is not only carried out in the connection establishment stage, but also in the subsequent data transmission stage. If the results are found to be inconsistent, B will also cut off the line.
Because the high security level is inversely proportional to the connection speed, many Internet accesses use PAP protocol authentication. Generally speaking, after entering the dial-up access server, remote visitors must pass the host password check, so security will not be a problem. The access rate of domestic remote access is low, and using PAP can improve some efficiency.
Internal authentication of router
When using a dedicated router, other servers are generally used as security authentication servers, so installation, use and maintenance are more troublesome. It would be even less worth it if only a few users use it, or if they share a dial password in dedicated software. In this case, the internal authentication method of the router can be used. Taking the Cisco router as an example, the configuration is as follows:
hostname 2509 (the name of the router)
!
enable password cisco (router GLOBAL status password)
!
username cisco password 0 cisco (remote user name, password)
!
interface Ethernet0
ip address 202.100.99.5 255.255.255.0
no shut
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
async dynamic routing
async mode interactivity (This mode can be switched between terminal mode and PPP mode)
peer default ip address pool default
ppp authentication pap
group-range 1 8
!
ip local pool default 202.100.99.2 202.100.99.254
ip classless
!
line con 0
line 1 8
autoselect ppp
login local (native authentication method)
modem InOut
autocommand ppp
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
password cisco
login
!
end
This configuration can be used as a dial-up access server for internal communication. It is also a standard intranet configuration. It can use various dial-up software such as Windows 95's dial-up networking function to connect to internal WWW and other servers.
Article entry: csh Editor in charge: csh