Sep 02

CHAP Basic Setup Steps


(CHAP) Challenge-Handshake Authentication Protocol is a secured procedure of connecting to a system than the (PAP) Password Authentication Procedure. Since, authentication can be requested by the server at any time, CHAP provides more security than the PAP. After a link is established, a server sends a challenge message to a connection requestor. The PPP requires its peer to authenticate itself using one of two authentication protocols, the Password Authentication Protocol (PAP) or the Challenge Handshake Authentication Protocol (CHAP). The server checks the response by comparing it its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection is usually terminated.

A procedure to configure the CHAP  authentication is fairly straightforward. If we assume that we have two routers, left and right, connected across a network, then configuring the CHAP authentication within these routers involves the following steps:

Step 1 : On the interface, issue the encapsulation ppp command.

Step 2 : Enable the use of CHAP authentication on both routers with the ppp authentication chap command.

Step 3 : Configure the usernames and passwords. Write the username username password password command, where username is the hostname of the peer.

Step 4 : Ensure that Passwords are identical at both ends.

One-Way and Two-Way Authentication

CHAP is defined as a one-way authentication method. However, we use CHAP in both directions to create a two-way authentication. The called party must authenticate the calling party in the Cisco CHAP implementation by default; unless authentication is completely turned off. Thus, the one-way authentication initiated by the called party is the minimum possible authentication. However, the two-way authentication forms when the calling party also verifies the identity of the called party.  One-way authentication is often used when we connect to the non-Cisco devices.

CHAP Configuration Commands and Options

  1. ppp authentication {chap | ms-chap | ms-chap-v2 | eap |pap} [callin] : This command enables local authentication of the remote PPP peer with the specified protocol.
  2. ppp chap hostname username : This command defines an interface-specific CHAP hostname.
  3. ppp chap password password : This command defines an interface-specific CHAP password.
  4. ppp direction callin | callout | dedicated : This command forces a call direction. It is used when a router is confused as to whether the call is incoming or outgoing (for example, when connected back-to-back or connected by leased lines.
  5. ppp chap refuse [callin] : This command disables remote authentication by a peer (default enabled). This command disables CHAP authentication for all calls, which means that all attempts by the peer to force the user to authenticate with the help of CHAP are refused. The callin option specifies that the router refuses to answer CHAP authentication challenges received from the peer, but still requires the peer to answer any CHAP challenges that the router sends.
  6. ppp chap wait : This command specifies that the caller must authenticate first (default enabled) because the router will not authenticate to a peer that requests CHAP authentication until after the peer has authenticated itself to the router.
  7. ppp max-bad-auth value : This command specifies the allowed number of authentication retries (the default value is 0)
  8. ppp chap splitnames : This hidden command allows different hostnames for a CHAP challenge and response (the default value is disabled).
  9. ppp chap ignoreus : This hidden command ignores CHAP challenges with the local name (the default value is enabled).

To learn Microsoft Certification

Looking for an IT Job?

Please call us on 1800 159 151, or complete the form below.

  • This field is for validation purposes and should be left unchanged.

Recent Posts

About The Author

Delivering Classroom and Live Instructor-led Training. Attend at our premises or from anywhere on any device.

COVID discounts on Job Programs end soon, register today.

Open chat