Challenge Hand Shake Authentication Protocol on Packet Tracer (CHAP)

The Point-to-Point Protocol (PPP) is a data link protocol commonly used in establishing a direct connection between two networking nodes. It can provide connection authentication, transmission encryption and compression. PPP is used over many types of physical networks including serial cable, phone line,  trunk line, cellular telephone, specialized radio links, and fiber optic links etc. Internet service providers (ISPs) have used PPP for customer dial-up access to the Internet, since IP packets cannot be transmitted over a modem line on their own, without some data link protocol. PPP is commonly used as a data link layer protocol for connection over synchronous and asynchronous circuits, where it has largely superseded the older Serial Line Internet Protocol (SLIP) and telephone company mandated standards (such as Link Access Protocol, Balanced (LAPB).  
PPP was designed somewhat after the original HDLC specifications. The designers of PPP included many additional features that had been seen only in proprietary data-link protocols up to that time.
HDLC
HDLC provides both connection-oriented and connectionless service. HDLC can be used for point to multipoint connections, but is now used almost exclusively to connect one device to another, using what is known as Asynchronous Balanced Mode (ABM).
CHAP
CHAP provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network. The MS-CHAP variant does not require either peer to know the plaintext, but has been broken. Thus, CHAP provides better security as compared to Password Authentication Protocol (PAP).
CHAP Working
CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link (LCP), and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password).
  1. After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.
  2. The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined.
  3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.
  4. At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.

    Another feature of CHAP is that it doesn't only require the client to authenticate itself at startup time, but sends challenges at regular intervals to make sure the client hasn't been replaced by an intruder, for instance by just switching phone lines.

Let us apply PPP on packet tracer. Consider the following simpler topology.

 1
Let us apply IP addresses on the interfaces and change the state of the interface from down to UP. So that they can communicate.

 2
Similarly, for serial interface.

3
And IP configuration on PC.
4
The IP configuration on other router.

5
Serial Interface setting.

6

Now, we know that PCs that are attached cannot communicate until we apply a routing mechanism. In this case we are applying the RIP V2 protocol. Apply the following set of commands on both routers. We have also set the hostname of the router which will be useful to us later.

7

Now, let us set the commands on the second router as well.


8

Now, both PCs can communicate.

 9
Now, we will set the authentication, In this tutorial we are going to apply CHAP(Challenge Handshake Authentication Protocol).

c1

As we set the authentication on one router the communication is disabled.

 12
Let us set it on other router as well.

c2
Now, the communication is enabled.
 15










Reactions:

5 comments: