Page 133

PPP Options 107

CHAP

CHAP is much more secure than PAP. It implements a two-way encrypted authentication
process. Usernames and passwords still must exist on the remote router, but they do not cross
the wire as they did with PAP.

When a user dials in, the access server issues a challenge message to the remote user after the
PPP link is established. The remote end responds with a one-way hash function. This hash is
generally an MD5 entity. If the value of the hash matches what the router expects to see, the
authentication is acknowledged. If not, the connection terminates. Figure 5-5 depicts CHAP
authentication.

Figure 5-5

CHAP Authentication

The playback of packets captured by a protocol analyzer is not an issue with CHAP. The use of
variable challenge values (that is, unique values) for each authentication attempt ensures that
no two challenges are the same. CHAP also repeats a challenge every two minutes for the
duration of the connection. If the authentication fails at any time, the connection is terminated.
The access server controls the frequency of the challenges. Example 5-2 shows a basic CHAP
configuration.

Example 5-2

CHAP Configuration Example

RouterA(config)#username amanda password twinz
RouterA(config)#interface async 0
RouterA(config-if)#enapsulation ppp
RouterA(config-if)#ppp authentication chap

Remote user

Amanda

Access server

Router A

Request for challenge

Challenge

Response

Accept or reject

Name: Amanda
Password: twinz

username Amanda

password twinz

Local user

database

Use CHAP

Run PPP