深入浅出CHAP认证
一、CHAP协议定义:
Challenge-Handshake Authentication Protocol
The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically verify the identity of the peer using a 3-way handshake.This is done upon initial link establishment, and MAY be repeated anytime after the link has been established.
1. After the Link Establishment phase is complete, the authenticator sends a "challenge" message to the peer.
2. The peer responds with a value calculated using a "one-way hash" function.
3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection SHOULD be terminated.
4. At random intervals, the authenticator sends a new challenge to the peer, and repeats steps 1 to 3.
以上摘自《RFC 1994 PPP CHAP》
二、CHAP协议的防火墙(路由器)实现:
PPP(Point to Point Protocol)协议是在点到点链路上承载网络层数据包的一种链路层协议,由于它能够提供用户验证、易于扩充,并且支持同异步通信,因而获得广泛应用。PPP定义了一整套的协议,包括链路控制协议(LCP)、网络层控制协议(NCP)和验证协议(PAP和CHAP)等。下面我们重点看一下CHAP协议在防火墙上的实现:
CHAP认证过程图
CHAP(Challenge Handshake Authentication Protocol)验证为三次握手验证,口令为密文(密钥),CHAP验证过程如下:
1. 验证方向被验证方发送一些随机产生的报文(Challenge),并同时将本端的主机名
附带上一起发送给被验证方;
2. 被验证方根据此报文中验证方的主机名和本端的用户表查找用户口令字,如找到用户
表中与验证方主机名相同的用户,便利用报文ID、此用户的密钥(口令字)和MD5算法对该随机报文进行加密,将生成的密文和自己的主机名发回验证方(Response);
3. 验证方用自己保存的被验证方口令字和MD5算法对原随机报文加密,比较二者的密
文,根据比较结果返回不同的响应(Acknowledge or Not Acknowledge)。
说明:CHAP认证协议的上述实现方式各个设备厂商应该是共同遵循的,否则在进行设备
间的互相认证时将出现兼容性问题。下面通过实际测试用例进行分析说明:
三、华赛USG2130与H3C AR28路由器E1对接测试实例分析
测试组网图
场景一:CHAP单向认证(其中USG2130作为主验证方)
配置方法1:(推荐使用)
USG2130主要配置(作为主验证方):
#
interface Serial2/0/0:1
link-protocol ppp
ppp authentication-mode chap //设置本端PPP协议对对端的验证方式为CHAP
ppp chap user huasan //用来配置CHAP验证时的本端用户名
ip address 10.1.1.2 255.255.255.0
#
aaa
local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!
local-user admin level 3
local-user admin ftp-directory flash:/
local-user huawei password simple huawei123 //在AAA视图下增加一个本地用户authentication-scheme default
#
AR28路由器主要配置:
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user huasan //在AAA视图下增加一个本地用户password simple huawei123
#
interface Serial1/1
fe1 frame-format crc4
link-protocol ppp
ppp chap user huawei //用来配置CHAP验证时的本端用户名fe1 timeslot-list 11-20
ip address 10.1.1.1 255.255.255.0
#
下面通过对USG2130防火墙上的DEBUG信息进行分析来说明方法一CHAP认证的过程。正确配置下的DEBUG信息分析:
%Apr 4 16:59:45 2000 USG2130 PHY/2/PHY: E1 2/0/0: Controller change status to up
%Apr 4 16:59:45 2000 USG2130 PHY/2/PHY: Serial2/0/0:1: change status to up
%Apr 4 16:59:45 2000 USG2130 PHY/2/PHY: Serial2/0/0:1: change status to down
%Apr 4 16:59:46 2000 USG2130 PHY/2/PHY: Serial2/0/0:1: change status to up
%Apr 4 16:59:47 2000 USG2130 IFNET/5/UPDOWN:Line protocol on the interface Seri
al2/0/0:1 turns into UP state
%Apr 4 16:59:47 2000 USG2130 IFNET/5/UPDOWN:PPP IPCP protocol on the interface Serial2/0/0:1 turns into UP state
*0.232525933 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Initial Event
state Initial
*0.232526066 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Server Lower Up Event
state Initial
*0.232526216 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Output CHAP(c223) Pkt, Len 31
State Initial, code Challenge(01), id 1, len 27
V alue_Size: 16 V alue: fc 9b 56 e1 53 e3 a6 26 1b 54 e5 e2 a1 ed 90 87
Name: huasan //主验证方USG2130发送第一个Challenge报文,用户名:huasan *0.232526550 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : Initial --> SendChallenge
*0.232526683 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Input CHAP(c223) Pkt, Len 31
State SendChallenge, code Response(02), id 1, len 27
V alue_Size: 16 V alue: 61 f6 b 6b 56 df 4e a8 d8 39 2b 51 f 86 e0 ef
Name: huawei //主验证方USG2130收到AR28路由器的回复报文,用户名:huawei *0.232527016 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Receive Response Event
state SendChallenge
*0.232527183 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : SendChallenge --> WaitAAA //认证中。。。。。
*0.232527316 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP AAA Result Event
state WaitAAA
*0.232527450 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : WaitAAA --> ServerSuccess
*0.232527583 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Output CHAP(c223) Pkt, Len 26
State ServerSuccess, code SUCCESS(03), id 1, len 22
Message: Welcome to huasan. //认证通过,主验证方USG2130发送认证通过报文。
错误配置下DEBUG分析(认证双方AAA视图下的密码不一样):
*0.240411150 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Initial Event
state Initial
*0.240411283 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Server Lower Up Event
state Initial
*0.240411433 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Output CHAP(c223) Pkt, Len 31
State Initial, code Challenge(01), id 1, len 27
V alue_Size: 16 V alue: 9b 56 e1 53 e3 a6 26 1b 54 e5 e2 a1 ed 90 87 94
Name: huasan //主验证方USG2130发送第一个Challenge报文,用户名:huasan *0.240411766 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : Initial --> SendChallenge
*0.240411900 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Input CHAP(c223) Pkt, Len 31
State SendChallenge, code Response(02), id 1, len 27
V alue_Size: 16 V alue: 7f 77 53 90 ae f0 be 74 fb df 21 4b ea 61 9d c9
Name: huawei //主验证方USG2130收到AR28路由器的回复报文,用户名:huawei *0.240412233 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Receive Response Event
state SendChallenge
*0.240412400 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : SendChallenge --> WaitAAA //认证中。。。。。
*0.240412533 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP AAA Result Event
state WaitAAA
*0.240412666 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : WaitAAA --> ServerFailed
*0.240412800 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Output CHAP(c223) Pkt, Len 33
State ServerFailed, code FAILURE(04), id 1, len 29
Message: Illegal User or password. //认证失败,主验证方USG2130发送认证失败报文。
小结:
上述配置方法的CHAP认证过程与路由器的实现流程完全一致,因此采用这种方式与友商设备进行对接测试的时候应该不会出现问题。从CHAP协议的实现流程看,认证双方AAA视图下的密码必须一样,否则不能认证通过。
配置方法2:
USG2130主要配置(作为主验证方):
#
interface Serial2/0/0:1
link-protocol ppp
ppp authentication-mode chap //设置本端PPP协议对对端的验证方式为CHAP
ip address 10.1.1.2 255.255.255.0
#
aaa
local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!
local-user admin level 3
local-user admin ftp-directory flash:/
local-user huawei password simple huawei123 //在AAA视图下增加一个本地用户authentication-scheme default
#
AR28路由器主要配置:
interface Serial1/1
fe1 frame-format crc4
link-protocol ppp
ppp chap user huawei //用来配置CHAP验证时的本端用户名
ppp chap password simple huawei123 //用来配置CHAP验证时的本端密码
fe1 timeslot-list 11-20
ip address 10.1.1.1 255.255.255.0
#
下面通过对USG2130防火墙上的DEBUG信息进行分析来说明方法2的CHAP认证的过程。DEBUG信息分析:
%Apr 4 16:33:08 2000 USG2130 IFNET/5/UPDOWN:PPP IPCP protocol on the interface Serial2/0/0:1 turns into UP state
*0.230938933 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Initial Event
state Initial
*0.230939066 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Server Lower Up Event
state Initial
*0.230939216 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Output CHAP(c223) Pkt, Len 25
State Initial, code Challenge(01), id 1, len 21
V alue_Size: 16 V alue: e1 53 e3 a6 26 1b 54 e5 e2 a1 ed 90 87 94 3 f0
Name: //主验证方USG2130发送第一个Challenge报文,由于USG2130接口下没有配置ppp chap user ,所以这里的用户名为空。
*0.230939533 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : Initial --> SendChallenge
*0.230939666 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Input CHAP(c223) Pkt, Len 31
State SendChallenge, code Response(02), id 1, len 27
V alue_Size: 16 V alue: 24 cc 29 e4 78 7f fb 4a 87 4a de f6 11 b1 86 6a
Name: huawei //主验证方USG2130收到AR28路由器的回复报文,用户名:huawei *0.230940000 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Receive Response Event
state SendChallenge
*0.230940166 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : SendChallenge --> WaitAAA //认证中。。。。。
*0.230940300 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP AAA Result Event
state WaitAAA
*0.230940433 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : WaitAAA --> ServerSuccess
*0.230940566 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Output CHAP(c223) Pkt, Len 20
State ServerSuccess, code SUCCESS(03), id 1, len 16
Message: Welcome to . //认证通过,主验证方USG2130发送认证通过报文。
小结:
从对DEBUG信息的分析中可以看到,方法2由于主验证方(USG2130)接口下没有配置用户,因此USG2130发送的第一个Challenge报文用户名为空,这与CHAP规定的实现流程是不太一样的。因此,使用配置方法2与友商设备进行对接的时候可能会出现问题。
场景二、CHAP双向认证
配置方法3:(基于方法1的基础上)
USG2130主要配置:
#
interface Serial2/0/0:1
link-protocol ppp
ppp authentication-mode chap //设置本端PPP协议对对端的验证方式为CHAP
ppp chap user huasan //用来配置CHAP验证时的本端用户名
ip address 10.1.1.2 255.255.255.0
#
aaa
local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!
local-user admin level 3
local-user admin ftp-directory flash:/
local-user huawei password simple huawei123 //在AAA视图下增加一个本地用户authentication-scheme default
#
AR28路由器主要配置:
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user huasan //在AAA视图下增加一个本地用户
password simple huawei123
#
interface Serial1/1
fe1 frame-format crc4
link-protocol ppp
ppp authentication-mode chap //设置本端PPP协议对对端的验证方式为CHAP ppp chap user huawei //用来配置CHAP验证时的本端用户名
fe1 timeslot-list 11-20
ip address 10.1.1.1 255.255.255.0
#
CHAP双向认证DEBUG信息分析:
*0.234659150 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Initial Event
state Initial
*0.234659283 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Server Lower Up Event
state Initial
*0.234659433 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Output CHAP(c223) Pkt, Len 31
State Initial, code Challenge(01), id 1, len 27
V alue_Size: 16 V alue: fc 9b 56 e1 53 e3 a6 26 1b 54 e5 e2 a1 ed 90 87
Name: huasan // USG2130发送第一个Challenge报文,用户名huasan *0.234659766 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : Initial --> SendChallenge
*0.234659900 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Client Lower Up Event
state Initial
*0.234660050 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : Initial --> ListenChallenge
*0.234660183 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Input CHAP(c223) Pkt, Len 31
State ListenChallenge, code Challenge(01), id 1, len 27
V alue_Size: 16 V alue: 5c 2b 5a ef 7e d5 66 f c3 40 57 91 9b 74 61 bc
Name: huawei // USG2130收到AR28的回复报文,用户名:huawei *0.234660516 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Receive Challenge Event
state ListenChallenge
*0.234660683 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Output CHAP(c223) Pkt, Len 31
State ListenChallenge, code Response(02), id 1, len 27
V alue_Size: 16 V alue: 6e 1e e7 2d 5b fd da 45 68 59 cb 29 a6 a4 c7 c8
Name: huasan //USG2130的回复报文,用户名:huasan
*0.234661016 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : ListenChallenge --> SendResponse
*0.234661166 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Input CHAP(c223) Pkt, Len 31
State SendChallenge, code Response(02), id 1, len 27
V alue_Size: 16 V alue: 61 f6 b 6b 56 df 4e a8 d8 39 2b 51 f 86 e0 ef
Name: huawei // USG2130收到的挑战报文,用户名:huawei
*0.234661500 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Receive Response Event
state SendChallenge
*0.234661666 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : SendChallenge --> WaitAAA
*0.234661800 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP AAA Result Event
state WaitAAA
*0.234661933 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : WaitAAA --> ServerSuccess
*0.234662066 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Output CHAP(c223) Pkt, Len 26
State ServerSuccess, code SUCCESS(03), id 1, len 22
Message: Welcome to huasan. //USG2130向AR28发送认证通过消息
*0.234662316 USG2130 PPP/8/debug2:
PPP Packet:
Serial2/0/0:1 Input CHAP(c223) Pkt, Len 26
State SendResponse, code SUCCESS(03), id 1, len 22
Message: Welcome to huawei. // USG2130收到AR28的认证通过消息
*0.234662566 USG2130 PPP/8/debug2:
PPP Event:
Serial2/0/0:1 CHAP Receive Success Event
state SendResponse
*0.234662716 USG2130 PPP/8/debug2:
PPP State Change:
Serial2/0/0:1 CHAP : SendResponse --> ClientSuccess
%Apr 4 17:35:41 2000 USG2130 IFNET/5/UPDOWN:PPP IPCP protocol on the interface
总结:
1、CHAP认证协议是一种通过三次握手进行身份识别的认证协议。双方设备的
密码不会在线路上明文传输。
2、进行CHAP单向认证的时候,推荐使用方法1进行配置。认证双方的用户名
不同但是密码必须相同的。这是由CHAP认证的实现原理决定的。
3、进行CHAP单向认证的时候,如果采用方法2,认证双方的用户名和密码必
须都相同。同时,使用方法2与友商设备进行对接的时候可能会出现不兼容的问题。
4、进行CHAP双向认证的时候,建议采用方法3进行配置。方法3的配置思路
是基于方法1配置基础之上的。