fbpx

CHAP Basic Setup Steps | Blog

Aug 23
CHAP Basic Setup

CHAP Basic Setup Steps

The Challenge Handshake Authentication Protocol (CHAP) is a built-in authentication protocol defined in PPP (point to point protocol) and is used for identity verification of two devices involved in point to point link. CHAP uses three-way handshake mechanism. These are different steps performed in CHAP:

Once LCP (Link Control Protocol) process has completed, and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer.

The peer responds with a value calculated using one-way hash algorithm, called message digest 5 (MD5).

The authenticator checks the response value and its own calculated hash value. If the values are same, the authentication is successful or else, the connection is terminated.

This authentication process depends on a “secret” which is pre-shared by the authenticator and the peer. The authentication can either be one-way or two way(mutual).

To configure CHAP authentication along with PPP on an interface that has all default configuration on the serial interfaces of both Cisco routers, follow these steps:

Step1: Use the encapsulation ppp command in interface configuration mode, on the serial interfaces of both routers, to enable PPP on the interfaces.

Step2: Define the usernames and passwords used by the two routers:

  1. Use the hostname name command in global configuration mode on each router, to set the local router’s name to use when authenticating.
  2. Use the username name password password command in global configuration mode on each router, to define the name (case-sensitive) used by the neighbouring router, and the matching password(case-sensitive). The name in the username command should match the name in the neighbouring router’s hostname command.

Step3: Use the ppp authentication chap command in interface configuration mode on each router to enable CHAP on each interface.

Example: On first device,

Router>enable

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#hostname Schap

Schap(config)#username Rchap password pass1

Schap(config)#interface se0

Schap(config-if)#ip address 192.168.1.6 255.255.255.252

Schap(config-if)#encapsulation ppp

Schap(config-if)#ppp authentication chap

 

On another device,

Router>enable

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#hostname Rchap

Rchap(config)#username Schap password pass1

Rchap(config)#interface se0

Rchap(config-if)#ip address 192.168.1.5 255.255.255.252

Rchap(config-if)#encapsulation ppp

Rchap(config-if)#ppp authentication chap

 

To check, if chap authentication has succeeded or not, there are several ways.

Firstly, if CHAP authentication is enabled but chap authentication fails, the protocol status of the interface fails to a down state and “LCP open” will not be there in the show output. To check that status, use the show interfaces type number command or show interfaces status command.

You can also use show ppp all command to verify if chap authentication is working or not.

Learn more about Cisco Exam

About The Author

Delivering Classroom and Live Instructor-led Training. Attend at our premises or from anywhere on any device.

COVID discounts on Job Programs end soon, register today.

Open chat