ccie.nyquist.eu
Search…
Table of Contents
Layer 2 Technologies
Ethernet Switching
Layer 2 WAN Protocols
HDLC
PPP
PPP 101
PPP Authentication - PAP
PPP Authentication – CHAP
PPP Authentication – EAP
PPP Multilink
PPPoFR – PPP over Frame Relay
PPPoE – PPP over Ethernet
Frame Relay
Bridging
IPv4
IPv4 Addressing
IPv4 Routing
IPv6
IPv6-101
IPv6 Routing
Interconnecting IPv6 and IPv4
MPLS
MPLS 101
MPLS L3 VPN
Multicast
Multicast 101
PIM 101
IGMP 101
Inter Domain Multicast
IPv6 Multicast
Multicast features on switches
Security
NAT 101
NAT for Overlapping Networks
ACLs 101
ACLs 102
Cisco IOS Firewall
Zone Based Firewall
AAA 101
Controlling CLI Access
Control Plane
Switch Security
IPSec VPN 101
DMVPN 101
Network Services
NTP 101
HTTP 101
File Transfer 101 – TFTP & FTP
WCCP 101
QoS
QoS 101
Classification and Marking
Congestion Management
Congestion Avoidance – WRED
Policing and Shaping
Compression and LFI
Frame Relay QoS
RSVP 101
Switching QoS
Network Optimization
NetFlow 101 – TNF – Traditional NetFlow
NetFlow 102 – FNF – Flexible NetFlow
IP SLA 101
IP Accounting 101
Logging 101
SNMP and RMON 101
Cisco CLI Tips and Tricks
AutoInstall
Enhanced Object Tracking
Powered By GitBook
PPP Authentication – CHAP

CHAP algorithm

CHAP is more secure than PAP because even though it sends usernames in clear text, it uses an MD5 hash instead of a clear text password for authentication.
When a router is set to ask for authentication, it will send a CHAP Challenge to the other router which contains an ID, a random number and a username. By default, the username used is the hostname of the router. For each Challenge, the router will store in memory the random number used.
When the router that shoud authenticate receives the Challenge, it must search in it’s database a password for the supplied username. If it doesn’t find one, the authentication will fail. If if finds one, the router will use the ID, the random number and the password to generate an MD5 hash. It will send this MD5 hash in a Response packet, together with a username to the router that issued the authentication challenge.The username is by default the hostname of the router that responds
Upon receiving the Response, the first router uses the ID to determine what Challenge the Response belongs to and retrives the random number used in the Challenge it sent. It then searches for a password coresponding to the username received from the other router. If no match is found, authentication fails. If a match is found, then the router uses the ID, the random number it used in the Challenge and the password it found to generate an MD5 hash. If the MD5 hash it generates matches the one that it received, then it (statisticly) means both routers used the same password and authentication succeeds.

One-way authentication

The configuration for one-way authentication should look like this:
1
!On R1
2
R1(config)# interface serial0
3
R1(config-if)# ip address IP-ADDR1 MASK1
4
R1(config-if)# encapsulation ppp
5
R1(config-if)# ppp authentication chap
6
R1(config-if)# exit
7
R1(config)# username R2 password PASS
8
!On R2
9
R2(config)# interface serial0
10
R2(config-if)# ip address IP-ADDR2 MASK2
11
R2(config-if)# encapsualation ppp
12
R2(config-if)# no shut
13
R2(config-if)# exit
14
R2(config)# username R1 password PASS
Copied!
Even though this might look like a two way authentication, it isn’t. For two-way authentication both routers should send a Challenge.

Two-way authentication

1
!On R1
2
R1(config)# interface serial0
3
R1(config-if)# ip address IP-ADDR1 MASK1
4
R1(config-if)# encapsulation ppp
5
R1(config-if)# ppp authentication chap
6
R1(config-if)# exit
7
R1(config)# username R2 password PASS
8
!On R2
9
R2(config)# interface serial0
10
R2(config-if)# ip address IP-ADDR2 MASK2
11
R2(config-if)# encapsualation ppp
12
R2(config-if)# ppp authentication chap
13
R2(config-if)# no shut
14
R2(config-if)# exit
15
R2(config)# username R1 password PASS
Copied!
As you can see, when using two way authentication you cannot use different passwords, as was possible with PAP.

More settings

To use a different username than the configured hostname, you can use:
1
R(config)# username USER2 password PASS2
2
R(config)# interface serial0
3
R(config-if)# ppp chap hostname USER2
Copied!
and to use a default password for unknown usernames, you can use:
1
R(config)# interface serial0
2
R(config-if)# ppp chap password PASS
Copied!
By default a router will always respond to an authentication request with its hostname as a username, even if there is no password configured. Of course, authentication will fail. Use the following command to refuse authentication requests:
1
R(config-if)#ppp chap refuse
Copied!

Debugging

When debugging, the best commands to use are:
1
R# debug ppp negotiation
2
R# debug ppp authentication
Copied!
See this Cisco article about debugging PPP neogtiation output
Previous
PPP Authentication - PAP
Next
PPP Authentication – EAP
Last modified 6mo ago
Copy link
Contents
CHAP algorithm
One-way authentication
Two-way authentication
More settings
Debugging