CHAP(Challenge Handshake Authentication Protocol)和PAP(Password Authentication Protocol) (PAP)通常被用于在PPP封裝的串行線路上提供安全性認(rèn)證。使用CHAP和PAP認(rèn)證,每個(gè)Cisco思科路由器通過名字來識(shí)別，可以防止未經(jīng)授權(quán)的訪問。

任務(wù)命令

設(shè)置PPP封裝encapsulation ppp1

設(shè)置認(rèn)證方法ppp authentication {chap | chap pap | pap chap | pap} [if-needed] [list-name | default] [callin]

指定口令username name password secret

設(shè)置DCE端線路速度clockrate speed

舉例

Cisco思科路由器Router1和Router2的S0口均封裝PPP協(xié)議，采用CHAP做認(rèn)證，在Router1中應(yīng)建立一個(gè)用戶，以對(duì)端Cisco思科路由器主機(jī)名作為用戶名，即用戶名應(yīng)為router2。同時(shí)在Router2中應(yīng)建立一個(gè)用戶，以對(duì)端Cisco思科路由器主機(jī)名作為用戶名，即用戶名應(yīng)為router1。所建的這兩用戶的password必須相同。

設(shè)置如下：

Router1:

hostname router1

username router2 password xxx

interface Serial0

ip address 192.200.10.1 255.255.255.0

clockrate 1000000

ppp authentication chap

!

Router2:

hostname router2

username router1 password xxx

interface Serial0

ip address 192.200.10.2 255.255.255.0

ppp authentication chap

!

ISDN#p#

1.綜合數(shù)字業(yè)務(wù)網(wǎng)（ISDN）

綜合數(shù)字業(yè)務(wù)網(wǎng)（ISDN）由數(shù)字電話和數(shù)據(jù)傳輸服務(wù)兩部分組成，一般由電話局提供這種服務(wù)。ISDN的基本速率接口（BRI）服務(wù)提供2個(gè)B信道和1個(gè)D信道（2B+D）。BRI的B信道速率為64Kbps,用于傳輸用戶數(shù)據(jù)。D信道的速率為16Kbps，主要傳輸控制信號(hào)。在北美和日本，ISDN的主速率接口（PRI）提供23個(gè)B信道和1個(gè)D信道，總速率可達(dá)1.544Mbps，其中D信道速率為64Kbps。而在歐洲、澳大利亞等國家，ISDN的PRI提供30個(gè)B信道和1個(gè)64Kbps D信道，總速率可達(dá)2.048Mbps。我國電話局所提供ISDN PRI為30B+D。

2.基本命令

任務(wù)命令

設(shè)置ISDN交換類型isdn switch-type switch-type1

接口設(shè)置interface bri 0

設(shè)置PPP封裝encapsulation ppp

設(shè)置協(xié)議地址與電話號(hào)碼的映射dialer map protocol next-hop-address [name hostname] [broadcast] [dial-string]

啟動(dòng)PPP多連接ppp multilink

設(shè)置啟動(dòng)另一個(gè)B通道的閾值dialer load-threshold load

顯示ISDN有關(guān)信息show isdn {active | history | memory | services | status [dsl | interface-type number] | timers}

注：1.交換機(jī)類型如下表,國內(nèi)交換機(jī)一般為basic-net3。

按區(qū)域分關(guān)鍵字 交換機(jī)類型

Australia

basic-ts013 Australian TS013 switches

Europe

basic-1tr6 German 1TR6 ISDN switches

basic-nwnet3 Norway NET3 switches (phase 1)

basic-net3 NET3 ISDN switches (UK, Denmark, and other nations); covers the Euro-ISDN E-DSS1 signalling system

primary-net5 NET5 switches (UK and Europe)

vn2 French VN2 ISDN switches

vn3 French VN3 ISDN switches

Japan#p#

ntt Japanese NTT ISDN switches

primary-ntt Japanese ISDN PRI switches

North America

basic-5ess AT&T basic rate switches

basic-dms100 NT DMS-100 basic rate switches

basic-ni1 National ISDN-1 switches

primary-4ess AT&T 4ESS switch type for the U.S. (ISDN PRI only)

primary-5ess AT&T 5ESS switch type for the U.S. (ISDN PRI only)

primary-dms100 NT DMS-100 switch type for the U.S. (ISDN PRI only)

New Zealand

basic-nznet3 New Zealand Net3 switches

3.ISDN實(shí)現(xiàn)DDR（dial-on-demand routing）實(shí)例:

設(shè)置如下：

Router1:

hostname router1

user router2 password cisco

!

isdn switch-type basic-net3

!

interface bri 0

ip address 192.200.10.1 255.255.255.0

encapsulation ppp

dialer map ip 192.200.10.2 name router2 572

dialer load-threshold 80

ppp multilink

dialer-group 1

ppp authentication chap

！

dialer-list 1 protocol ip permit

!#p#

Router2:

hostname router2

user router1 password cisco

!

isdn switch-type basic-net3

!

interface bri 0

ip address 192.200.10.2 255.255.255.0

encapsulation ppp

dialer map ip 192.200.10.1 name router1 571

dialer load-threshold 80

ppp multilink

dialer-group 1

ppp authentication chap

！

dialer-list 1 protocol ip permit

!

CiscoCisco思科路由器同時(shí)支持回?fù)芄δ?，我們將Cisco思科路由器Router1作為Callback Server,Router2作為Callback Client。

與回?fù)芟嚓P(guān)命令:

任務(wù)命令

映射協(xié)議地址和電話號(hào)碼，并在接口上使用在全局模式下定義的PPP回?fù)艿挠成漕悇e。dialer map protocol address name hostname class classname dial-string

設(shè)置接口支持PPP回?fù)躳pp callback accept

在全局模式下為PPP回?fù)茉O(shè)置映射類別map-class dialer classname

通過查找注冊(cè)在dialer map里的主機(jī)名來決定回?fù)? dialer callback-server [username]

設(shè)置接口要求PPP回?fù)躳pp callback request#p#

設(shè)置如下：

Router1:

hostname router1

user router2 password cisco

!

isdn switch-type basic-net3

!

interface bri 0

ip address 192.200.10.1 255.255.255.0

encapsulation ppp

dialer map ip 192.200.10.2 name router2 class s3 572

dialer load-threshold 80

ppp callback accept

ppp multilink

dialer-group 1

ppp authentication chap

！

map-class dialer s3

dialer callback-server username

dialer-list 1 protocol ip permit

!

Router2:

hostname router2

user router1 password cisco

!

isdn switch-type basic-net3

!

interface bri 0

ip address 192.200.10.2 255.255.255.0

encapsulation ppp

dialer map ip 192.200.10.1 name router1 571

dialer load-threshold 80

ppp callback request

ppp multilink

dialer-group 1

ppp authentication chap

！

dialer-list 1 protocol ip permit

!#p#

相關(guān)調(diào)試命令：

debug dialer

debug isdn event

debug isdn q921

debug isdn q931

debug ppp authentication

debug ppp error

debug ppp negotiation

debug ppp packet

show dialer

show isdn status

舉例:

執(zhí)行debug dialer命令觀察router2呼叫router1,router1回?fù)躵outer2的過程.

router1#debug dialer

router2#ping 192.200.10.1

router1#

00:03:50: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up

00:03:50: BRI0:1PP callback Callback server starting to router2 572

00:03:50: BRI0:1: disconnecting call

00:03:50: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down

00:03:50: BRI0:1: disconnecting call

00:03:50: BRI0:1: disconnecting call

00:03:51: %LINK-3-UPDOWN: Interface BRI0:2, changed state to up

00:03:52: callback to router2 already started

00:03:52: BRI0:2: disconnecting call

00:03:52: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down

00:03:52: BRI0:2: disconnecting call

00:03:52: BRI0:2: disconnecting call

00:04:05: : Callback timer expired

00:04:05: BRI0:beginning callback to router2 572

00:04:05: BRI0: Attempting to dial 572#p#

00:04:05: Freeing callback to router2 572

00:04:05: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up

00:04:05: BRI0:1: No callback negotiated

00:04:05: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up

00:04:05: dialer Protocol up for Vi1

00:04:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state

to up

00:04:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, chang

ed state to up

00:04:11: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 572

#router1

4.ISDN訪問首都在線263網(wǎng)實(shí)例:

本地局部網(wǎng)地址為10.0.0.0/24,屬于保留地址，通過NAT地址翻譯功能，局域網(wǎng)用戶可以通過ISDN上263網(wǎng)訪問Internet。263的ISDN電話號(hào)碼為2633，用戶為263，口令為263，所涉及的命令如下表：

任務(wù)命令

指定接口通過PPP/IPCP地址協(xié)商獲得IP地址ip address negotiated

指定內(nèi)部和外部端口ip nat {inside | outside}

使用ppp/pap作認(rèn)證ppp authentication pap callin

指定接口屬于撥號(hào)組1dialer-group 1

定義撥號(hào)組1允許所有IP協(xié)議dialer-list 1 protocol ip permit

設(shè)定撥號(hào)，號(hào)碼為2633dialer string 2633

設(shè)定登錄263的用戶名和口令ppp pap sent-username 263 password 263

設(shè)定默認(rèn)路由ip route 0.0.0.0 0.0.0.0 bri 0

設(shè)定符合訪問列表2的所有源地址被翻譯為bri 0所擁有的地址ip nat inside source list 2 interface bri 0 overload

設(shè)定訪問列表2，允許所有協(xié)議access-list 2 permit any#p#

具體配置如下：

hostname Cisco2503

!

isdn switch-type basic-net3

!

ip subnet-zero

no ip domain-lookup

ip routing

!

interface Ethernet 0

ip address 10.0.0.1 255.255.255.0

ip nat inside

no shutdown

!

interface Serial 0

shutdown

no description

no ip address

!

interface Serial 1

shutdown

no description

no ip address

!

interface bri 0

ip address negotiated

ip nat outside

encapsulation ppp

ppp authentication pap callin

ppp multilink

dialer-group 1

dialer hold-queue 10

dialer string 2633

dialer idle-timeout 120

ppp pap sent-username 263 password 263

no cdp enable

no ip split-horizon

no shutdown

!

ip classless

!

! Static Routes

!

ip route 0.0.0.0 0.0.0.0 bri 0

!

! Access Control List 2

!

access-list 2 permit any

!

dialer-list 1 protocol ip permit

!

! Dynamic NAT

!

ip nat inside source list 2 interface bri 0 overload

snmp-server community public ro

!

line console 0

exec-timeout 0 0

!

line vty 0 4

!

end

 

【編輯推薦】

1. 教你如何調(diào)試思科路由器
2. 如何安裝和設(shè)置無線路由器--無線局域網(wǎng)設(shè)置
3. 雙路由器上網(wǎng)的連接和設(shè)置方法!!
4. 二級(jí)路由器設(shè)置
5. 避免無線路由器遭受ARP攻擊故障技巧