The Challenge Handshake Authentication Protocol (CHAP) is a built-in authentication protocol defined in PPP (point to point protocol) and is used for identity verification of two devices involved in point to point link. CHAP uses three-way handshake mechanism. These are different steps performed in CHAP:
Once LCP (Link Control Protocol) process has completed, and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer.
The peer responds with a value calculated using one-way hash algorithm, called message digest 5 (MD5).
The authenticator checks the response value and its own calculated hash value. If the values are same, the authentication is successful or else, the connection is terminated.
This authentication process depends on a “secret” which is pre-shared by the authenticator and the peer. The authentication can either be one-way or two way(mutual).
To configure CHAP authentication along with PPP on an interface that has all default configuration on the serial interfaces of both Cisco routers, follow these steps:
Step1: Use the encapsulation ppp command in interface configuration mode, on the serial interfaces of both routers, to enable PPP on the interfaces.
Step2: Define the usernames and passwords used by the two routers:
- Use the hostname name command in global configuration mode on each router, to set the local router’s name to use when authenticating.
- Use the username name password password command in global configuration mode on each router, to define the name (case-sensitive) used by the neighbouring router, and the matching password(case-sensitive). The name in the username command should match the name in the neighbouring router’s hostname command.
Step3: Use the ppp authentication chap command in interface configuration mode on each router to enable CHAP on each interface.
Example: On first device,
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Schap
Schap(config)#username Rchap password pass1
Schap(config)#interface se0
Schap(config-if)#ip address 192.168.1.6 255.255.255.252
Schap(config-if)#encapsulation ppp
Schap(config-if)#ppp authentication chap
On another device,
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Rchap
Rchap(config)#username Schap password pass1
Rchap(config)#interface se0
Rchap(config-if)#ip address 192.168.1.5 255.255.255.252
Rchap(config-if)#encapsulation ppp
Rchap(config-if)#ppp authentication chap
To check, if chap authentication has succeeded or not, there are several ways.
Firstly, if CHAP authentication is enabled but chap authentication fails, the protocol status of the interface fails to a down state and “LCP open” will not be there in the show output. To check that status, use the show interfaces type number command or show interfaces status command.
You can also use show ppp all command to verify if chap authentication is working or not.
Learn more about Cisco Exam