Authentication is a highly recommended way to secure a network against intrusion. Challenge-Handshake Authentication Protocol (CHAP) performs a three-way handshake to verify the identity of a peer by sending a challenge message to the peer after the Link Control Protocol (LCP) phase is completed. The peer then responds by sending the value calculated by performing the one-way hash function. And if the value sent by the peer matches the value calculated by itself, then the authentication is successful. CHAP is considered more secure than PAP (Password Authentication Protocol) as it saves the connection against the replay attacks by the peer, and unlike PAP, it does not send secret as plain text over the network.
To use CHAP, first, we have to enable point-to-point protocol (PPP) by using the encapsulation ppp command on the interface. Once PPP has been enabled we use the ppp authentication chap command on both the routers to enable CHAP. Finally, we configure the usernames and passwords by using username username password password command. Make sure that the same password is used on both the routers. CHAP is normally one-way authentication but we can create two-way authentication as well. To enable two-way CHAP we have to initiate the CHAP authentication from both the routers. To define an interface-specific CHAP hostname we use the command ppp chap hostname username. We can even set a password for a specific interface by using the command ppp chap password password. We can also set the authentication direction by issuing the command ppp direction callin | callout | dedicated. The CHAP authentication requests can be refused or the peer can be asked to wait until the peer authenticates itself first, and the commands for these actions are ppp chap refuse and ppp chap wait, respectively. When the authentication process fails we can configure the point-to-point interface to do a certain number of retries, before it resets itself, by using the command ppp max-bad-auth value (default value is 0). We can verify whether the CHAP authentication is enabled on the interface and whether it is a one-way or two-way handshake (by this end, by the peer, by both) by using the debug ppp negotiation and debug ppp authentication commands. A misconfiguration of the username or password on any of the two peers can result in the failure of the authentication process, so we have to make sure that we provide correct username and password on both the peers.
Info about Cisco Exam