Ref : [1] www.gns3.

net
[2] http://www.javvin.com/protocol/rfc1994.pdf
[3] Lammle,Todd,” CCNA (Cisco Certified Network Associate) Study Guide 6sh edition”, Wiley Publishing, Inc.2007

Simulasi PPP (point to point protocol) authentication using CHAP

(Challenge Handshake Authentication Protocol)
by : daywalker@cnc-108

Pada kali ini akan disimulasikan tentang PPP authentication using CHAP, topologi yang digunakan adalah seperti gambar (1) dibawah :
Introduction :

“There are two methods of authentication that can be used with PPP links:
Password Authentication Protocol (PAP) The Password Authentication Protocol (PAP) is the less secure of the two methods. Passwords are sent in clear text, and PAP is only performed
upon the initial link establishment. When the PPP link is first established, the remote node sends the username and password back to the originating router until authentication is
acknowledged.

Challenge Handshake Authentication Protocol (CHAP) The Challenge Handshake Authentication Protocol (CHAP) is used at the initial startup of a link and at periodic checkups on the link
to make sure the router is still communicating with the same host. After PPP finishes its initial link-establishment phase, the local router sends a challenge request to the remote device.
The remote device sends a value calculated using a one-way hash function called MD5. The local router checks this hash value to make sure it matches. If the values don’t match, the link
is immediately terminated.” [3]

Protocol Description :

“Challenge Handshake Authentication Protocol (CHAP) is used to periodically verify the identity of the peer using a 3-way handshake. This is done upon initial link establishment and may
be repeated any time after the link has been established.
• After the Link Establishment phase is complete, the authenticator sends a “challenge” message to the peer.
• The peer responds with a value calculated using a “oneway hash” function.
• The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection
SHOULD be terminated.
• At random intervals, the authenticator sends a new challenge to the peer and the three steps above are repeated. CHAP provides protection against playback attack by the peer through
the use of an incrementally changing identifier and avariable challenge value. The use of repeated challenges is intended to limit the time of exposure to any single attack. The
authenticator is in control of the frequency and timing of the challenges. This authentication method depends upon a “secret” known only to the authenticator and that peer. The secret is
not sent over the link. Although the authentication is only one-way, by negotiating CHAP in both directions the same secret set may easily be used for mutual authentication. Since CHAP
may be used to authenticate many different systems, name fields may be used as an index to locate the proper secret in a large table of secrets. This also makes it possible to support
more than one name/secret pair per system, and to change the secret in use at any time during the session. CHAP requires that the secret be available in plaintext form. Irreversably
encrypted password databases commonly available cannot be used. It is not as useful for large installations, since every possible secret is maintained at both ends of the link.” [2]
Protocol Structure
Configuration Option format for CHAP:

• Type - 3
• Length - 5
• Authentication-Protocol – C223 (Hex) for CHAP
• Algorithm The Algorithm field is one octet and indicates the authentication method to be used.

The structure of the CHAP packet is shown in the following illustration.

• Code - Identifies the type of CHAP packet. CHAP codes are assigned as follows:
1. Challenge
2. Response
3. Success
4. Failure
• Identifier - Aids in matching challenges, responses and replies.
• Length - Length of the CHAP packet including the
Code, Identifier, Length and Data fields.
• Data - Zero or more octets, the format of which is determined by the Code field. For Success and Failure, the data field contains a variable message field which is implementation
dependent.
Langkah-langkah simulasinya yaitu:

1. Konfigurasi kedua router seperti perintah yang terdapat pada gambar 1, jika kita perhatikan default encapsulation pada router cisco adalah HDLC maka jika hanya salah satu
router saja yang dikonfigurasi maka akan terjadi mismatched WAN configuration.
 Jika mismatched encapsulation
maka statusnya up tetapi protocol
down

2. Setelah kedua router dikonfigurasi menggunakan encapsulation yang sama maka protocol kembali up
3. Pastikan di kedua router cnc1 dan cnc 2 status dan protocolnya dalam keaadan up, dan coba lakukan ping dari cnc1 ke cnc2
4. Untuk pengujian aktifkan fungsi debug authentication dikedua router

Pastikan debugging is on
5. Nah untuk langkah pengujiannya adalah dengan mematikan salah satu interface serial (pada simulasi ini serial 0/0 pada cnc2 akan di shutdown) akan tetapi setelah itu no shutdown
serial s0/0 tersebut lagi, nah hal ini untuk mengamati proses CHAP berjalan.

Di shut

Di no shut

Proses CHAP sedang berjalan di cnc2

 Proses CHAP sedang berjalan di cnc1

6. Nah jika password salah proses authentication akan failure, dan konektifitas tidak akan pernah terjadi
7. Ok sekian dulu mudah-mudahan dapat bermaanfaat, btw dibawah juga ada hasil capture menggunakan wireshark
Proses CHAP sedang berjalan kita
capture dengan wireshark