Daftar Pertemuan
PPP Quick Links
PAP vs CHAP
PAP:
Plain text authentication
CHAP:
Challenge-response
Security:
CHAP lebih secure
Pertemuan 9: WAN with PPP Authentication
Progress Pembelajaran
9/16
Tujuan Pembelajaran
Mahasiswa mampu mengimplementasikan koneksi WAN yang aman dengan PPP encapsulation dan autentikasi PAP/CHAP, serta memahami perbedaan keamanan antara kedua metode autentikasi.
Konsep PPP dan WAN Technologies
1. Point-to-Point Protocol (PPP)
PPP adalah data link layer protocol yang digunakan untuk koneksi point-to-point langsung antara dua node. PPP menyediakan konektivitas yang andal untuk koneksi WAN.
Komponen PPP
- HDLC-like Framing: Encapsulation data
- LCP (Link Control Protocol): Establish, configure, test link
- NCP (Network Control Protocol): Konfigurasi network layer protocols
- Authentication Protocols: PAP, CHAP, EAP
Keuntungan PPP
- Multi-protocol support (IP, IPX, etc.)
- Error detection dan quality monitoring
- Multiple authentication options
- Link quality monitoring
- Loopback detection
2. PPP Authentication Protocols
| Protocol | Mekanisme | Keamanan | Penggunaan | Rekomendasi |
|---|---|---|---|---|
| PAP (Password Authentication Protocol) |
Two-way handshake, password dikirim plain text | Rendah | Environment dengan security minimal | Tidak direkomendasikan |
| CHAP (Challenge Handshake Auth Protocol) |
Three-way handshake, challenge-response dengan hash | Tinggi | Environment yang membutuhkan security | Direkomendasikan |
| EAP (Extensible Authentication Protocol) |
Framework extensible untuk multiple methods | Sangat Tinggi | Enterprise environment | Untuk enterprise |
3. CHAP Authentication Process
1
Challenge
Authenticator mengirim challenge message
→
2
Response
Peer merespons dengan hash value
→
3
Success/Failure
Authenticator verifikasi dan mengirim hasil
Keamanan CHAP:
- Password tidak pernah dikirim melalui network
- Menggunakan one-way hash function (MD5)
- Challenge yang berbeda setiap authentication attempt
- Periodic re-authentication
4. WAN Connection Types
Leased Lines
Koneksi dedicated point-to-point
- Always-on connection
- Bandwidth guaranteed
- High cost
Circuit Switching
Koneksi established ketika diperlukan
- Dial-up, ISDN
- Pay-per-use
- Lower cost
Packet Switching
Shared network infrastructure
- Frame Relay, X.25
- Shared bandwidth
- Cost effective
Job Sheet Praktikum
Informasi Job Sheet
Durasi: 170 menit
Topik: WAN with PPP Authentication
Bobot: 5%
Tujuan: Implementasi PPP PAP/CHAP
Tools: Cisco Packet Tracer
Penilaian: Unjuk Kerja
Diagram Topologi
Headquarters
R1-HQ
LAN: 192.168.10.0/24
WAN: 192.168.170.1/30
WAN: 192.168.170.1/30
Switch1
PC1 (192.168.10.10)
Serial PPP
192.168.170.0/30
Branch Office
R2-BRANCH
LAN: 192.168.20.0/24
WAN: 192.168.170.2/30
WAN: 192.168.170.2/30
Switch2
PC2 (192.168.20.10)
Keterangan Topologi:
- 2 Router Cisco 2911 terhubung via serial interface
- Koneksi WAN menggunakan PPP encapsulation
- Autentikasi menggunakan PAP dan CHAP
- Router1 sebagai headquarters, Router2 sebagai branch office
- Masing-masing router memiliki LAN segment terpisah
IP Addressing Plan
| Device | Interface | IP Address | Subnet Mask | Description |
|---|---|---|---|---|
| R1-HQ | Gig0/0 | 192.168.10.1 | 255.255.255.0 | LAN Headquarters |
| R1-HQ | Serial0/0/0 | 192.168.170.1 | 255.255.255.252 | WAN Link (DCE) |
| R2-BRANCH | Gig0/0 | 192.168.20.1 | 255.255.255.0 | LAN Branch |
| R2-BRANCH | Serial0/0/0 | 192.168.170.2 | 255.255.255.252 | WAN Link (DTE) |
| PC1 | NIC | 192.168.10.10 | 255.255.255.0 | Host Headquarters |
| PC2 | NIC | 192.168.20.10 | 255.255.255.0 | Host Branch |
Langkah Kerja Detail
Langkah 1: Persiapan Topologi dan Basic Configuration
Buat topologi dan konfigurasi IP dasar pada kedua router:
R1-HQ (Headquarters):
enable
configure terminal
hostname R1-HQ
! Konfigurasi LAN interface
interface gigabitethernet 0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
exit
! Konfigurasi WAN interface (DCE)
interface serial 0/0/0
ip address 192.168.170.1 255.255.255.252
clock rate 64000
no shutdown
exit
configure terminal
hostname R1-HQ
! Konfigurasi LAN interface
interface gigabitethernet 0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
exit
! Konfigurasi WAN interface (DCE)
interface serial 0/0/0
ip address 192.168.170.1 255.255.255.252
clock rate 64000
no shutdown
exit
R2-BRANCH (Branch Office):
enable
configure terminal
hostname R2-BRANCH
! Konfigurasi LAN interface
interface gigabitethernet 0/0
ip address 192.168.20.1 255.255.255.0
no shutdown
exit
! Konfigurasi WAN interface (DTE)
interface serial 0/0/0
ip address 192.168.170.2 255.255.255.252
no shutdown
exit
configure terminal
hostname R2-BRANCH
! Konfigurasi LAN interface
interface gigabitethernet 0/0
ip address 192.168.20.1 255.255.255.0
no shutdown
exit
! Konfigurasi WAN interface (DTE)
interface serial 0/0/0
ip address 192.168.170.2 255.255.255.252
no shutdown
exit
Langkah 2: Konfigurasi PPP tanpa Authentication (Baseline)
Konfigurasi PPP encapsulation tanpa authentication untuk testing baseline:
Pada kedua router:
interface serial 0/0/0
encapsulation ppp
exit
encapsulation ppp
exit
Verifikasi konektivitas tanpa authentication:
show interfaces serial 0/0/0
ping 192.168.170.2 ! Dari R1-HQ ke R2-BRANCH
! Expected output:
! Serial0/0/0 is up, line protocol is up
! Encapsulation PPP
ping 192.168.170.2 ! Dari R1-HQ ke R2-BRANCH
! Expected output:
! Serial0/0/0 is up, line protocol is up
! Encapsulation PPP
Langkah 3: Konfigurasi PPP dengan PAP Authentication
Implementasi PAP authentication pada koneksi PPP:
Setup username dan password pada kedua router:
! Pada R1-HQ (authenticate R2-BRANCH)
username R2-BRANCH password pap123
! Pada R2-BRANCH (authenticate R1-HQ)
username R1-HQ password pap123
username R2-BRANCH password pap123
! Pada R2-BRANCH (authenticate R1-HQ)
username R1-HQ password pap123
Konfigurasi PAP authentication:
! Pada R1-HQ:
interface serial 0/0/0
ppp authentication pap
ppp pap sent-username R1-HQ password pap123
exit
! Pada R2-BRANCH:
interface serial 0/0/0
ppp authentication pap
ppp pap sent-username R2-BRANCH password pap123
exit
interface serial 0/0/0
ppp authentication pap
ppp pap sent-username R1-HQ password pap123
exit
! Pada R2-BRANCH:
interface serial 0/0/0
ppp authentication pap
ppp pap sent-username R2-BRANCH password pap123
exit
Verifikasi PAP authentication:
show interfaces serial 0/0/0
debug ppp authentication
! Amati proses authentication
undebug all
debug ppp authentication
! Amati proses authentication
undebug all
Kelemahan PAP:
Password dikirim dalam plain text melalui network. Tidak recommended untuk production environment.
Langkah 4: Konfigurasi PPP dengan CHAP Authentication
Implementasi CHAP authentication yang lebih secure:
Hapus konfigurasi PAP dan setup CHAP:
! Hapus PAP configuration pada kedua router:
interface serial 0/0/0
no ppp authentication pap
no ppp pap sent-username
exit
interface serial 0/0/0
no ppp authentication pap
no ppp pap sent-username
exit
Konfigurasi CHAP authentication:
! Pada R1-HQ:
username R2-BRANCH password chap123
interface serial 0/0/0
ppp authentication chap
exit
! Pada R2-BRANCH:
username R1-HQ password chap123
interface serial 0/0/0
ppp authentication chap
exit
username R2-BRANCH password chap123
interface serial 0/0/0
ppp authentication chap
exit
! Pada R2-BRANCH:
username R1-HQ password chap123
interface serial 0/0/0
ppp authentication chap
exit
Verifikasi CHAP authentication:
show interfaces serial 0/0/0
debug ppp authentication
! Amati proses CHAP challenge-response
undebug all
! Expected debug output:
! CHAP challenge received from R2-BRANCH
! CHAP response sent to R2-BRANCH
! CHAP success received from R2-BRANCH
debug ppp authentication
! Amati proses CHAP challenge-response
undebug all
! Expected debug output:
! CHAP challenge received from R2-BRANCH
! CHAP response sent to R2-BRANCH
! CHAP success received from R2-BRANCH
Keuntungan CHAP:
Password tidak pernah dikirim melalui network. Menggunakan challenge-response mechanism dengan hash.
Langkah 5: Advanced CHAP Configuration
Konfigurasi CHAP dengan different passwords dan hashed passwords:
CHAP dengan different passwords:
! Pada R1-HQ:
username R2-BRANCH password chap123
interface serial 0/0/0
ppp chap hostname R1-HQ
ppp chap password chap123
exit
! Pada R2-BRANCH:
username R1-HQ password chap456 ! Password berbeda
interface serial 0/0/0
ppp chap hostname R2-BRANCH
ppp chap password chap456
exit
username R2-BRANCH password chap123
interface serial 0/0/0
ppp chap hostname R1-HQ
ppp chap password chap123
exit
! Pada R2-BRANCH:
username R1-HQ password chap456 ! Password berbeda
interface serial 0/0/0
ppp chap hostname R2-BRANCH
ppp chap password chap456
exit
CHAP dengan hashed passwords (recommended):
! Gunakan 'secret' instead of 'password'
username R2-BRANCH secret chap123
username R1-HQ secret chap123
! Verifikasi password terhash
show running-config | include username
username R2-BRANCH secret chap123
username R1-HQ secret chap123
! Verifikasi password terhash
show running-config | include username
Langkah 6: Testing End-to-End Connectivity dengan Routing
Konfigurasi static routing untuk konektivitas LAN-to-LAN:
Konfigurasi static routes:
! Pada R1-HQ:
ip route 192.168.20.0 255.255.255.0 192.168.170.2
! Pada R2-BRANCH:
ip route 192.168.10.0 255.255.255.0 192.168.170.1
ip route 192.168.20.0 255.255.255.0 192.168.170.2
! Pada R2-BRANCH:
ip route 192.168.10.0 255.255.255.0 192.168.170.1
Test konektivitas end-to-end:
! Dari R1-HQ ping ke LAN R2-BRANCH
ping 192.168.20.1
! Dari PC di LAN R1-HQ ping ke PC di LAN R2-BRANCH
ping 192.168.20.10
! Test traceroute
traceroute 192.168.20.10
ping 192.168.20.1
! Dari PC di LAN R1-HQ ping ke PC di LAN R2-BRANCH
ping 192.168.20.10
! Test traceroute
traceroute 192.168.20.10
Troubleshooting PPP Issues
Common PPP Problems
Authentication Failed:
debug ppp authentication
show interfaces serial 0/0/0
! Periksa username/password mismatch
show interfaces serial 0/0/0
! Periksa username/password mismatch
Link tidak UP:
show controllers serial 0/0/0
! Periksa clock rate dan physical connection
show interfaces serial 0/0/0
! Periksa encapsulation type
! Periksa clock rate dan physical connection
show interfaces serial 0/0/0
! Periksa encapsulation type
Diagnosis Commands
Verification Commands:
show interfaces serial 0/0/0
show controllers serial 0/0/0
show ppp all
debug ppp negotiation
debug ppp authentication
show running-config interface serial 0/0/0
show controllers serial 0/0/0
show ppp all
debug ppp negotiation
debug ppp authentication
show running-config interface serial 0/0/0
Troubleshooting Tips:
- Pastikan username dan password sama di kedua sisi
- Verifikasi encapsulation PPP di kedua interface
- Check clock rate pada sisi DCE
- Gunakan
debug ppp authenticationuntuk detail process - Pastikan tidak ada ACL yang memblokir PPP traffic
Security Best Practices
PPP Security Recommendations
- Selalu gunakan CHAP instead of PAP
- Gunakan strong passwords (minimal 8 karakter)
- Implementasi password encryption
- Gunakan
ppp authentication chap callinuntuk additional security - Monitor PPP sessions regularly
Additional Security Measures
! Enable logging
logging buffered
! Configure exec-timeout
line console 0
exec-timeout 5 0
exit
line vty 0 4
exec-timeout 5 0
exit
logging buffered
! Configure exec-timeout
line console 0
exec-timeout 5 0
exit
line vty 0 4
exec-timeout 5 0
exit
Checklist Verifikasi
| Task | Verification Command | Expected Result | Status |
|---|---|---|---|
| PPP Encapsulation | show interfaces serial 0/0/0 |
Encapsulation PPP, line protocol up | Check |
| PAP Authentication | debug ppp authentication |
PAP authentication success | Check |
| CHAP Authentication | debug ppp authentication |
CHAP challenge-response success | Check |
| WAN Connectivity | ping 192.168.170.2 |
Success rate 100% | Check |
| End-to-End Connectivity | ping 192.168.20.10 |
Success from PC1 to PC2 | Check |