Sep 02

CHAP Basic Setup Steps


(CHAP) Challenge-Handshake Authentication Protocol is a secured procedure of connecting to a system than the (PAP) Password Authentication Procedure. Since, authentication can be requested by the server at any time, CHAP provides more security than the PAP. After a link is established, a server sends a challenge message to a connection requestor. The PPP requires its peer to authenticate itself using one of two authentication protocols, the Password Authentication Protocol (PAP) or the Challenge Handshake Authentication Protocol (CHAP). The server checks the response by comparing it its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection is usually terminated.

A procedure to configure the CHAP  authentication is fairly straightforward. If we assume that we have two routers, left and right, connected across a network, then configuring the CHAP authentication within these routers involves the following steps:

Step 1 : On the interface, issue the encapsulation ppp command.

Step 2 : Enable the use of CHAP authentication on both routers with the ppp authentication chap command.

Step 3 : Configure the usernames and passwords. Write the username username password password command, where username is the hostname of the peer.

Step 4 : Ensure that Passwords are identical at both ends.

One-Way and Two-Way Authentication

CHAP is defined as a one-way authentication method. However, we use CHAP in both directions to create a two-way authentication. The called party must authenticate the calling party in the Cisco CHAP implementation by default; unless authentication is completely turned off. Thus, the one-way authentication initiated by the called party is the minimum possible authentication. However, the two-way authentication forms when the calling party also verifies the identity of the called party.  One-way authentication is often used when we connect to the non-Cisco devices.

CHAP Configuration Commands and Options

  1. ppp authentication {chap | ms-chap | ms-chap-v2 | eap |pap} [callin] : This command enables local authentication of the remote PPP peer with the specified protocol.
  2. ppp chap hostname username : This command defines an interface-specific CHAP hostname.
  3. ppp chap password password : This command defines an interface-specific CHAP password.
  4. ppp direction callin | callout | dedicated : This command forces a call direction. It is used when a router is confused as to whether the call is incoming or outgoing (for example, when connected back-to-back or connected by leased lines.
  5. ppp chap refuse [callin] : This command disables remote authentication by a peer (default enabled). This command disables CHAP authentication for all calls, which means that all attempts by the peer to force the user to authenticate with the help of CHAP are refused. The callin option specifies that the router refuses to answer CHAP authentication challenges received from the peer, but still requires the peer to answer any CHAP challenges that the router sends.
  6. ppp chap wait : This command specifies that the caller must authenticate first (default enabled) because the router will not authenticate to a peer that requests CHAP authentication until after the peer has authenticated itself to the router.
  7. ppp max-bad-auth value : This command specifies the allowed number of authentication retries (the default value is 0)
  8. ppp chap splitnames : This hidden command allows different hostnames for a CHAP challenge and response (the default value is disabled).
  9. ppp chap ignoreus : This hidden command ignores CHAP challenges with the local name (the default value is enabled).

To learn Microsoft Certification

Looking for an IT Job?

Please call us on 1800 159 151, or complete the form below.

  • This field is for validation purposes and should be left unchanged.

Recent Posts

Can you get a job with just a CCNA certificate?

Can you get a job with just a CCNA certificate?

People often worry about getting jobs after acquiring a few years of education or a specific certificate. This is the exact situation with people who.. Read More →
Does a CCNA Certification help in getting Good Jobs?

Does a CCNA Certification help in getting Good Jobs?

The CCNA certificate will surely help you get in a better position right now. This certificate holds much power because of its course. It mainly.. Read More →

The supply of this course/package/program is governed by our terms and conditions. Please read them carefully before enrolling, as enrolment is conditional on acceptance of these terms and conditions. Courses run subject to registrations.


Find out why we are the leading choice to help boost your career in Australia

Prepare to get IT job ready in 8 weeks

Trained 10,000+ professionals and counting

Experienced Provider: Operating Since 2004

Trained staff from 1000+ Australian Businesses

We Have Placed Candidates In

Over 1000 organisations have relied on Logitrain to be their trusted training partner.

High-quality, cost-effective training in Australia
Learn More
  • OpenPay
  • This field is for validation purposes and should be left unchanged.

Dont’ Wait. Fill the form for a free no-obligation information session with our course specialists.

About The Author

Delivering Classroom and Live Virtual Training with Price Beat Guarantee

EOFY Offer: Book and pay for a course before 30 June. Attend training until 31 August.