Home » CISCO HOW-TO » How-to:Configure PPP authentication Part2 (CHAP)

How-to:Configure PPP authentication Part2 (CHAP)

The second and the most secure authentication method in PPP is CHAP. CHAP stands for challenge Handshake Authentication Protocol.

How CHAP works?

If CHAP is negotiated successfully during the LCP phase, the authenticator sends a challenge message to the peer. The peer responds to the challenge with a value calculated through an MD5 function. The authenticator then verifies the received value against its own calculated value. If they match the authentication is successful.

In our example R1 is the authenticator and R2 is the authenticated peer. R1 will send a challenge to R2; R2 will calculate a response to the challenge from the challenge parameters and the username, password pair configured on R2 for R1.

When R1 receives the response it verifies it against its own calculated value, if matches authentication is successful. For a detailed description of this process check out understanding and configuring PPP CHAP authentication.

R1 and R2 configuration:

R1(config)#username R2 password CISCO
R1(config)#int s1/1
R1(config-if)#ppp authentication chap

R2(config)#username R1 password CISCO

This time I have removed time stamps from the debug command to make it cleaner

R1#debug ppp negotiation

Se1/1 PPP: Phase is ESTABLISHING, Active Open
Se1/1 LCP: O CONFREQ [Closed] id 14 len 15
Se1/1 LCP:    AuthProto CHAP (0x0305C22305)
Se1/1 LCP:    MagicNumber 0x0A98E027 (0x05060A98E027)
Se1/1 LCP: I CONFREQ [REQsent] id 5 len 10
Se1/1 LCP:    MagicNumber 0x07513B3D (0x050607513B3D)
Se1/1 LCP: O CONFACK [REQsent] id 5 len 10
Se1/1 LCP:    MagicNumber 0x07513B3D (0x050607513B3D)
Se1/1 LCP: I CONFACK [ACKsent] id 14 len 15
Se1/1 LCP:    AuthProto CHAP (0x0305C22305)
Se1/1 LCP:    MagicNumber 0x0A98E027 (0x05060A98E027)
Se1/1 LCP: State is Open
Se1/1 PPP: Phase is AUTHENTICATING, by this end
Se1/1 CHAP: O CHALLENGE id 3 len 23 from "R1"
Se1/1 CHAP: I RESPONSE id 3 len 23 from "R2"
Se1/1 PPP: Phase is FORWARDING, Attempting Forward
Se1/1 PPP: Phase is AUTHENTICATING, Unauthenticated User
Se1/1 PPP: Phase is FORWARDING, Attempting Forward
Se1/1 PPP: Phase is AUTHENTICATING, Authenticated User
Se1/1 CHAP: O SUCCESS id 3 len 4
Se1/1 PPP: Phase is UP

Configuration Notes:

  • Each router must have a username/password command with the username configured as the hostname (Case sensitive) of its peer.
  • You can change the username (hostname by default) sent by the CHAP process using the command ppp chap hostname and the password using the command ppp chap password under the interface configuration mode.
  • R2 can be configured to refuse the CHAP authentication request using the command ppp chap refuse.

Leave a Reply

Your email address will not be published. Required fields are marked *