Monday 22 May 2017

UNDERSTANDING PPP CHAP AUTHENTICATION:

Where security is important, PPP provides two optional authentication protocols. These the two authentication protocols are the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).

PPP has two main methods of authentication we need to know how to configure: PAP and CHAP.
PPP CHAP provides secure authentication for peer-to-peer networking sessions over many types of media. PPP is used over serial, asynchronous, ISDN, and DSL as well as other media types. Today, PPP is even becoming the encapsulation for some LAN-based networks. Again, this is mainly because of the peer-to-peer authentication that PPP provides.

INTRODUCTION:

PPP negotiation involves several steps such as Link Control Protocol (LCP) negotiation, Authentication, and Network Control Protocol (NCP) negotiation.

If the two sides cannot agree on the correct parameters, then the connection is terminated. Once the link is established, the two sides authenticate each other using the authentication protocol decided on during LCP negotiation. Authentication must be successful prior to starting NCP negotiation.

PPP SUPPORTS TWO AUTHENTICATION PROTOCOLS: 

1.     Password Authentication Protocol (PAP)
2.     Challenge Handshake Authentication Protocol (CHAP).

PAP AUTHENTICATION:

PAP AUTHENTICATION INVOLVES A TWO-WAY HANDSHAKE where the username and password are sent across the link in clear text; hence, PAP authentication does not provide any protection against playback and line sniffing.

PAP is not a secure authentication protocol. Passwords are sent across the link in clear text and there is no protection from playback or trail-and-error attacks. The remote node is in control of the frequency and timing of the login attempts.

PPP Point to Point Protocol is a Layer 2 WAN Protocol. For data transmission between any two nodes or routers, a data path must be established, and flow control procedures must be in place to ensure deliver of data. Point-to-Point Protocol is a data link protocol and its basic purpose is to transport layer-3 packets across a Data Link layer point-to-point network. 

It is the most widely used and most popular WAN protocol because it offers control of data link set-up, dynamic assignment of IP addresses, network protocol multiplexing, link testing, link configuration, error detection and negotiation options for network-layer address and data compression.

PPP COMPONENTS:

PPP addresses the problems of Internet connectivity by employing three main components:
  • PPP
  • LCP
  • PPP uses Network Control Protocol (NCP) for establishing and configuring different network-layer protocols. PPP is designed to allow the simultaneous use of multiple network-layer protocols (e.g., IP, IPX, Appletalk, etc.)
CHAP AUTHENTICATION:

PPP uses two authentication protocols PAP and CHAP. CHAP is the preferred protocol, because CHAP uses 3-way handshake; whereas, PAP uses 2-way handshake.

CHAP AUTHENTICATION, ON THE OTHER HAND, PERIODICALLY VERIFIES THE IDENTITY OF THE REMOTE NODE USING A THREE-WAY HANDSHAKE. After the PPP link 
is established, the host sends a "challenge" message to the remote node.

The remote node responds with a value calculated using a one-way hash function. The host checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection is terminated.

Challenge-Handshake Authentication Protocol (CHAP) authenticates a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider.

CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network.

Note: Microsoft has implemented a variant of the Challenge-handshake authentication protocol, called MS-CHAP, which does not require either peer to know the plaintext.

CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake.

This happens at the time of establishing the initial link, and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password).
  1. After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.
  2. The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined.
  3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.
  4. At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.
ADVANTAGES OVER - CHAP. PAP:

PAP has very few advantages over CHAP. PAP passwords are carried over the line in clear-text, which in today's world is a very bad idea. PAP configuration also requires additional configuration with the "ppp pap sent-username" command, so anyone who can see your running configuration can also see the PAP password.

The only advantage PAP has over CHAP is a slim one. With PAP, a different password can be used by the each of the routers involved in the authentication. CHAP requires that the password be the same.  We'll see as we examine CHAP authentication.

PPP CHAP AUTHENTICATION


HOW TO CONFIGURE PPP ON CISCO ROUTER:

1. Get to the interface configuration mode and issue the following command, 

Router(config-if)#encapsulation ppp 

2. If you want to configure authentication (which is almost always the case), go through the following steps: 
  • PAP
Router(config-if)#ppp authentication XXX 

Where XXX is the authentication type which can be: pap, chap, pap chap, or chap pap. The last two choices are to use the other authentication type when the first one fails.

CHAP is strongly recommended over PAP for two reasons. First, PAP sends the username and password in plaintext, while CHAP sends hashed challenges only. 

Second is that CHAP does an operation similar to periodic re-authentication in the middle of the communication session such that it provides more security than PAP.
  • PPP
Router(config)#username USER password PASS 

Where USER is the host name of the remote router, and PASS is its password. Issue this command once for each PPP connection.

For example: If you are connecting RouterA to RouterB and RouterC, on RouterA issue this command once for each remote router.
  • PAP
Router(config-if)#ppp pap sent-username USER passwrod PASS 
For CHAP, two commands are used,

Router(config-if)#ppp chap hostname USER 
Router(config-if)#ppp chap password PASS

The usernames and passwords are case sensitive, so be careful when writing them. This way, you will have to write the hostname and secret password of the remote router in your local router and write the hostname and secret password of your local router into your remote using the 'username' command.

If you do not set the username and password that will be sent from the local router to the remote router for authentication, the router will use its hostname and secret password instead. 

3. You can monitor the quality of the serial link that is using PPP with the following command, 

Router(config-if)#ppp quality PERCENT 

Where PERCENT is the minimum accepted link quality. If the link quality drops below PERCENT, the link will be shutdown and considered bad.

4. If the available bandwidth is small, you might consider compressing the data being transmitted using the following command, 

Router(config-if)#ppp compress YYY 

Where YYY is the compression type which can be predictor or stacker.
Note: The compression might affect the system performance because it increases the CPU load. 

Check the CPU load with ‘show process cpu’ and disable the compression if the CPU load is over 65%.

5. To troubleshoot PPP, you can use the following commands, 

Router#debug ppp negotioations 
Router#debug ppp packets 
Router#debug ppp errors 
Router#debug ppp authentication 

COMMANDES REFERENCE FOR PPPPAP AND CHAP:

1. Enabling PPP :
Router(config)#interface interface name and n°
Router(config-if)#encapsulation ppp

2. Configuring PAP :
Router(config)#username name password password
Name = hostname of the remote router
Password = password of the remote router
This command specifies what we expect from the remote router.

Router(config-if)#ppp authentication pap [ callin ]

The callin option says the router that the ppp authentication pap callin
command is configured on will only authenticate the other side during an
incoming call. For an outgoing call, it will not authenticate the other side.

Router(config-if)#ppp pap sent-username username password password
This command specifies what the router send to the remote router.

3. Configuring CHAP :
Router(config)#ppp chap hostname name (optional)
Configure the send hostname. Without this command, the router uses its
hostname.

Router(config)#username name password password
Indicate witch password to employ for a given username.

Router(config-if)#ppp authentication chap [ callin ]

4. Configuring PPP load balancing :
Router(config-if)#ppp multilink

5. Configuring compression :
Router(config-if)#compress [predictor|stac|mppc]

6. Configuring TCP Header Compression :
Router(config-if)#ip tcp header-compression

7. Configuring error dectection :
Router(config-if)#ppp quality percentage
Percentage = under this percentage of quality, the link will be taken down.

8.1 Troubleshooting PPP :
Router#debug ppp authentication
displays the authentication exchange sequence.

Router#debug ppp negotiation
displays ppp packets transmitted during ppp startup, where ppp options are
negotiated.

Router#debug ppp error
displays protocol errors and error statistics associated with ppp connection,
negotiation and operation.

Router#debug ppp packet
displays ppp packets being sent and received

Router#debug ppp chap
displays CHAP packet exchanges.

SIMPLE EXAMPLE FOR CONFIGURING PPP AUTHENTICATION CHAP:

We Have Two Router R1 And Router R2, They Are Connected By Their Serial 0/0 Interfaces. R1 As A PPP PAP Server, And The R2 Device As The PPP PAP Client.

Router R1 Requires Authentication, And Router R2 Will Be Respond With The Correct Authentication Information.

On Router R1 PPP Server Configuration:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#username ROUTER2 password cisco1
R1(config)#int s0/0

R1(config-if)#encapsulation ppp
*Mar  1 00:04:47.359: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down

R1(config-if)#ppp authentication pap
R1(config-if)#end

On Router R2 Configuration of the PAP client:

R2#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#int s0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp pap sent-username ROUTER2 password cisco1
R2(config-if)#end

R2#
*Mar  1 00:08:40.539: %SYS-5-CONFIG_I: Configured from console by console
R2#
*Mar  1 00:08:41.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R2#

Server And Client Commands Above Carefully. Also Please Notice When The Commands Are Entered On The Client Link Is Established changed state to up.

Now We Are Going To Configuration CHAP We Will Have The Router R2 Device As A The CHAP Server And The Router R1 Device Function As The CHAP Client.

Now Router R2 Go For CHAP Server Commands:
R2#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#username R1 password cisco1
R2(config)#int s0/0

R2(config-if)#ppp authentication chap

R2(config-if)#
*Mar  1 00:14:06.407: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
R2(config-if)#end
R2#

Now CHAP Client Configuration On Router R1:
R1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#username R2 password cisco1

R1(config)#
*Mar  1 00:16:43.983: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R1(config)#

Troubleshooting PPP:

To debug a PPP PAP issue use the debug ppp negotiation and debug ppp authentication commands.

R1 & R2#debug ppp authentication
R1 & R2#debug ppp negotiation
R1 & R2#debug ppp error
R1 & R2#debug ppp packet
R1 & R2#debug ppp cha
  
TO STOP DEBUG # DEBUG OFF COMMAND

NOTE: CHAP requires you to configure a username / password combination for any remote device that will be involved in authentication. (We're assuming that the routers have already been configured with their names via the global hostname command.) Both routers will use the password CISCO.

R1:
username R2 password CISCO
int bri0
encapsulation ppp
ppp authentication chap

R2:
username R1 password CISCO
int bri0
encapsulation ppp
ppp authentication chap
  
WHY CHAP AUTHENTICATION REQUIRES THE SAME PASSWORD ON BOTH ROUTERS:

Remember how PAP sends the password over the line in clear-text? CHAP does not actually send the password over the line at all. Instead, CHAP runs a hash algorithm using the password and a random number. It is the result of this hash that is passed over the link. 

The remote router receives the hash result, and runs the exact same algorithm. If the result is the same, the authentication attempt will be successful. If the result is different, the authentication will fail. For this reason, the passwords must be the same.

DEBUG THE CONNECTION IF AUTHENTICATION FAILS:

Since two passwords are involved, the chances of one of the passwords being mistyped doubles. If you configure CHAP and the link dials but drops almost immediately, there's an authentication problem. Run debug ppp negotiation and attempt to dial the line again. The output of this particular debug will show you where the problem is.
 
  
TO CONFIGURE CHAP AUTHENTICATION, COMPLETE THESE STEPS:

  1.     On the interface, issue the encapsulation ppp command.
  2.     Enable the use of CHAP authentication on both routers with the ppp authentication chap command.
  3.     Configure the usernames and passwords. To do so, issue the username username password password command, where username is the hostname of the peer. Ensure that:
  • Passwords are identical at both ends.
  • The router name and password are exactly the same, because they are case-sensitive. 

Note: By default, the router uses its hostname to identify itself to the peer. However, this CHAP username can be changed through the ppp chap hostname command.
  
ONE-WAY AND TWO-WAY AUTHENTICATION: 

CHAP is defined as a one-way authentication method. However, you use CHAP in both directions to create a two-way authentication. Hence, with two-way CHAP, a separate three-way handshake is initiated by each side.

In the Cisco CHAP implementation, by default, the called party must authenticate the calling party (unless authentication is completely turned off). Therefore, a one-way authentication initiated by the called party is the minimum possible authentication. However, the calling party can also verify the identity of the called party, and this results in a two-way authentication.

One-way authentication is often required when you connect to non-Cisco devices.
For one-way authentication, configure the ppp authentication chap callin command on the calling router.

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...