The second and the most secure authentication method in PPP is CHAP. CHAP stands for challenge Handshake Authentication Protocol.
How CHAP works?
If CHAP is negotiated successfully during the LCP phase, the authenticator sends a challenge message to the peer. The peer responds to the challenge with a value calculated through an MD5 function. The authenticator then verifies the received value against its own calculated value. If they match the authentication is successful.
In our example R1 is the authenticator and R2 is the authenticated peer. R1 will send a challenge to R2; R2 will calculate a response to the challenge from the challenge parameters and the username, password pair configured on R2 for R1.
When R1 receives the response it verifies it against its own calculated value, if matches authentication is successful. For a detailed description of this process check out understanding and configuring PPP CHAP authentication.
R1 and R2 configuration:
R1(config)#username R2 password CISCO R1(config)#int s1/1 R1(config-if)#ppp authentication chap R2(config)#username R1 password CISCO
This time I have removed time stamps from the debug command to make it cleaner
R1#debug ppp negotiation Se1/1 PPP: Phase is ESTABLISHING, Active Open Se1/1 LCP: O CONFREQ [Closed] id 14 len 15 Se1/1 LCP: AuthProto CHAP (0x0305C22305) Se1/1 LCP: MagicNumber 0x0A98E027 (0x05060A98E027) Se1/1 LCP: I CONFREQ [REQsent] id 5 len 10 Se1/1 LCP: MagicNumber 0x07513B3D (0x050607513B3D) Se1/1 LCP: O CONFACK [REQsent] id 5 len 10 Se1/1 LCP: MagicNumber 0x07513B3D (0x050607513B3D) Se1/1 LCP: I CONFACK [ACKsent] id 14 len 15 Se1/1 LCP: AuthProto CHAP (0x0305C22305) Se1/1 LCP: MagicNumber 0x0A98E027 (0x05060A98E027) Se1/1 LCP: State is Open Se1/1 PPP: Phase is AUTHENTICATING, by this end Se1/1 CHAP: O CHALLENGE id 3 len 23 from "R1" Se1/1 CHAP: I RESPONSE id 3 len 23 from "R2" Se1/1 PPP: Phase is FORWARDING, Attempting Forward Se1/1 PPP: Phase is AUTHENTICATING, Unauthenticated User Se1/1 PPP: Phase is FORWARDING, Attempting Forward Se1/1 PPP: Phase is AUTHENTICATING, Authenticated User Se1/1 CHAP: O SUCCESS id 3 len 4 Se1/1 PPP: Phase is UP
- Each router must have a username/password command with the username configured as the hostname (Case sensitive) of its peer.
- You can change the username (hostname by default) sent by the CHAP process using the command ppp chap hostname and the password using the command ppp chap password under the interface configuration mode.
- R2 can be configured to refuse the CHAP authentication request using the command ppp chap refuse.