Tweet
Em có đọc về cách sử dụng từ khóa Callin trong chứng thực một chiều PPP:
"When two devices normally use CHAP authentication, each side sends out a challenge to which the other side responds and is authenticated by the challenger. Each sides authenticates one another independently. If you want to operate with non−Cisco routers that do not support authentication by the calling router or device, you must use the ppp authentication chap callin command. When using the ppp authentication command with the callin keyword, the Access Server will only authenticate the remote device if the remote device initiated the call (for example, if the remote device "called in"). In this case, authentication is specified on incoming (received) calls only."
Tuy nhiên em debug thì thấy vẫn chứng thực 2 chiều.
Mô hình đơn giản như sau:
R1 (s1/0) ---- (s1/1) R2
cấu hình trên s1/0 của R1:
username R2 password cisco
interface Serial1/0
ip address 1.1.1.1 255.0.0.0
encapsulation ppp
serial restart-delay 0
clock rate 56000
ppp authentication chap callin
cấu hình trên s1/1 của R2:
username R1 password cisco
interface Serial1/1
ip address 1.1.1.2 255.0.0.0
encapsulation ppp
serial restart-delay 0
ppp authentication chap
Deb authen ppp trên R1:
R1#
*Mar 1 00:33:57.895: Se1/0 PPP: Authorization required
*Mar 1 00:33:57.903: Se1/0 CHAP: O CHALLENGE id 6 len 23 from "R1"
*Mar 1 00:33:57.907: Se1/0 CHAP: I CHALLENGE id 5 len 23 from "R2"
*Mar 1 00:33:57.915: Se1/0 CHAP: Using hostname from unknown source
*Mar 1 00:33:57.919: Se1/0 CHAP: Using password from AAA
*Mar 1 00:33:57.919: Se1/0 CHAP: O RESPONSE id 5 len 23 from "R1"
*Mar 1 00:33:58.015: Se1/0 CHAP: I RESPONSE id 6 len 23 from "R2"
*Mar 1 00:33:58.019: Se1/0 CHAP: I SUCCESS id 5 len 4
*Mar 1 00:33:58.023: Se1/0 PPP: Sent CHAP LOGIN Request
*Mar 1 00:33:58.027: Se1/0 PPP: Received LOGIN Response PASS
*Mar 1 00:33:58.031: Se1/0 PPP: Sent LCP AUTHOR Request
*Mar 1 00:33:58.035: Se1/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:33:58.043: Se1/0 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:33:58.043: Se1/0 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:33:58.047: Se1/0 CHAP: O SUCCESS id 6 len 4
*Mar 1 00:33:58.055: Se1/0 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:33:58.059: Se1/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:33:58.343: Se1/0 PPP: Sent IPCP AUTHOR Request
Deb authen ppp trên R2:
*Mar 1 00:33:54.951: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 00:33:56.279: %LINK-3-UPDOWN: Interface Serial1/1, changed state to up
*Mar 1 00:33:56.283: Se1/1 PPP: Using default call direction
*Mar 1 00:33:56.283: Se1/1 PPP: Treating connection as a dedicated line
*Mar 1 00:33:56.287: Se1/1 PPP: Session handle[CB000003] Session id[6]
*Mar 1 00:33:56.287: Se1/1 PPP: Authorization required
*Mar 1 00:33:56.391: Se1/1 CHAP: O CHALLENGE id 5 len 23 from "R2"
*Mar 1 00:33:56.691: Se1/1 CHAP: I CHALLENGE id 6 len 23 from "R1"
*Mar 1 00:33:56.695: Se1/1 CHAP: I RESPONSE id 5 len 23 from "R1"
*Mar 1 00:33:56.703: Se1/1 PPP: Sent CHAP LOGIN Request
*Mar 1 00:33:56.707: Se1/1 CHAP: Using hostname from unknown source
*Mar 1 00:33:56.711: Se1/1 CHAP: Using password from AAA
*Mar 1 00:33:56.711: Se1/1 CHAP: O RESPONSE id 6 len 23 from "R2"
*Mar 1 00:33:56.719: Se1/1 PPP: Received LOGIN Response PASS
*Mar 1 00:33:56.723: Se1/1 PPP: Sent LCP AUTHOR Request
*Mar 1 00:33:56.727: Se1/1 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:33:56.731: Se1/1 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:33:56.735: Se1/1 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:33:56.739: Se1/1 CHAP: O SUCCESS id 5 len 4
*Mar 1 00:33:56.839: Se1/1 CHAP: I SUCCESS id 6 len 4
*Mar 1 00:33:56.847: Se1/1 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:33:56.851: Se1/1 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:33:56.859: Se1/1 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:33:57.843: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up
Theo như thông tin debug ở trên thì thấy chứng thực 2 chiều vẫn xảy ra, không thấy vai trò của từ khóa callin !!?? Mong các bác chỉ giáo.
"When two devices normally use CHAP authentication, each side sends out a challenge to which the other side responds and is authenticated by the challenger. Each sides authenticates one another independently. If you want to operate with non−Cisco routers that do not support authentication by the calling router or device, you must use the ppp authentication chap callin command. When using the ppp authentication command with the callin keyword, the Access Server will only authenticate the remote device if the remote device initiated the call (for example, if the remote device "called in"). In this case, authentication is specified on incoming (received) calls only."
Tuy nhiên em debug thì thấy vẫn chứng thực 2 chiều.
Mô hình đơn giản như sau:
R1 (s1/0) ---- (s1/1) R2
cấu hình trên s1/0 của R1:
username R2 password cisco
interface Serial1/0
ip address 1.1.1.1 255.0.0.0
encapsulation ppp
serial restart-delay 0
clock rate 56000
ppp authentication chap callin
cấu hình trên s1/1 của R2:
username R1 password cisco
interface Serial1/1
ip address 1.1.1.2 255.0.0.0
encapsulation ppp
serial restart-delay 0
ppp authentication chap
Deb authen ppp trên R1:
R1#
*Mar 1 00:33:57.895: Se1/0 PPP: Authorization required
*Mar 1 00:33:57.903: Se1/0 CHAP: O CHALLENGE id 6 len 23 from "R1"
*Mar 1 00:33:57.907: Se1/0 CHAP: I CHALLENGE id 5 len 23 from "R2"
*Mar 1 00:33:57.915: Se1/0 CHAP: Using hostname from unknown source
*Mar 1 00:33:57.919: Se1/0 CHAP: Using password from AAA
*Mar 1 00:33:57.919: Se1/0 CHAP: O RESPONSE id 5 len 23 from "R1"
*Mar 1 00:33:58.015: Se1/0 CHAP: I RESPONSE id 6 len 23 from "R2"
*Mar 1 00:33:58.019: Se1/0 CHAP: I SUCCESS id 5 len 4
*Mar 1 00:33:58.023: Se1/0 PPP: Sent CHAP LOGIN Request
*Mar 1 00:33:58.027: Se1/0 PPP: Received LOGIN Response PASS
*Mar 1 00:33:58.031: Se1/0 PPP: Sent LCP AUTHOR Request
*Mar 1 00:33:58.035: Se1/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:33:58.043: Se1/0 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:33:58.043: Se1/0 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:33:58.047: Se1/0 CHAP: O SUCCESS id 6 len 4
*Mar 1 00:33:58.055: Se1/0 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:33:58.059: Se1/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:33:58.343: Se1/0 PPP: Sent IPCP AUTHOR Request
Deb authen ppp trên R2:
*Mar 1 00:33:54.951: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 00:33:56.279: %LINK-3-UPDOWN: Interface Serial1/1, changed state to up
*Mar 1 00:33:56.283: Se1/1 PPP: Using default call direction
*Mar 1 00:33:56.283: Se1/1 PPP: Treating connection as a dedicated line
*Mar 1 00:33:56.287: Se1/1 PPP: Session handle[CB000003] Session id[6]
*Mar 1 00:33:56.287: Se1/1 PPP: Authorization required
*Mar 1 00:33:56.391: Se1/1 CHAP: O CHALLENGE id 5 len 23 from "R2"
*Mar 1 00:33:56.691: Se1/1 CHAP: I CHALLENGE id 6 len 23 from "R1"
*Mar 1 00:33:56.695: Se1/1 CHAP: I RESPONSE id 5 len 23 from "R1"
*Mar 1 00:33:56.703: Se1/1 PPP: Sent CHAP LOGIN Request
*Mar 1 00:33:56.707: Se1/1 CHAP: Using hostname from unknown source
*Mar 1 00:33:56.711: Se1/1 CHAP: Using password from AAA
*Mar 1 00:33:56.711: Se1/1 CHAP: O RESPONSE id 6 len 23 from "R2"
*Mar 1 00:33:56.719: Se1/1 PPP: Received LOGIN Response PASS
*Mar 1 00:33:56.723: Se1/1 PPP: Sent LCP AUTHOR Request
*Mar 1 00:33:56.727: Se1/1 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:33:56.731: Se1/1 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:33:56.735: Se1/1 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:33:56.739: Se1/1 CHAP: O SUCCESS id 5 len 4
*Mar 1 00:33:56.839: Se1/1 CHAP: I SUCCESS id 6 len 4
*Mar 1 00:33:56.847: Se1/1 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:33:56.851: Se1/1 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:33:56.859: Se1/1 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:33:57.843: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up
Theo như thông tin debug ở trên thì thấy chứng thực 2 chiều vẫn xảy ra, không thấy vai trò của từ khóa callin !!?? Mong các bác chỉ giáo.