HomeCCNAHow to Configure Challenge Handshake Authentication Protocol (CHAP)
Challange Handshake Authentication Protocol CHAP

How to Configure Challenge Handshake Authentication Protocol (CHAP)

September 25, 2020
Asad Ijaz
3 min read
CCNA
Xfin

Challenge Handshake Authentication Protocol (CHAP) periodically checks the character of the far off hub utilizing a three-way handshake. The hostname on one switch must match the username the other switch has designed. The passwords should likewise coordinate. The password value is variable and changes unpredictably while the link exists.

When the PPP link establishment phase is complete, the local router sends a challenge message to the remote node containing Challenge Handshake Authentication Protocol (CHAP) user name and a hash value that is based on the Challenge Handshake Authentication Protocol (CHAP)Password.

The remote router compares the local routers username and password in its local database and calculates hash value with the value sent from local router. The remote node then responds with a calculated value using a one way hash function, usually with Message Digest 5 (MD5) based on the password and challenge message. The figure1 illustrates the CHAP 3 way handshake.

The local router checks the reaction against its own calculation of the likely hash value. In case of value match, the initiating node acknowledges the authentication; otherwise, the initiating node immediately terminates the connection.

Challenge Handshake Authentication Protocol (CHAP)
How to Configure Challenge Handshake Authentication Protocol (CHAP) 4

Challenge Handshake Authentication Protocol (CHAP) provides better protection then PAP because it protects devices from playback attacks using a variable challenge value that is unique and unpredictable. The challenge and resulted hash value are unique and random. The use of repetitive challenges limits the time of vulnerability to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.

Challenge Handshake Authentication Protocol (CHAP) Configuration

We have learnt in the previous section that CHAP periodically identifies the remote node using a three-way handshake. The hostname on one router should match the username the other router has configured. The passwords also required to match. This occurs on initial link establishment and can be repeated any time after the link has been established. The commands for configuring CHAP on R1 are the following:

chap
How to Configure Challenge Handshake Authentication Protocol (CHAP) 5

Router R-1 (Local)

Router>enable

Router#config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname R1

R1(config)#username R2 password Cisco

R1(config)# interface serial0/0/0

R1(config-if)#no shut

R1(config-if)# ip address 192.168.10.1 255.255.255.252

R1(config-if)# ipv6 address 2001:AD01:BD00::1/64

R1(config-if)# clock rate 64000

R1(config-if)#encapsulation PPP

R1(config-if)#ppp authentication chap

R1(config-if)#exit

Router R-2 (Remote)

Router>enable

Router#config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname R2

R2(config)#username R2 password ccna12345

R2(config)# interface serial0/0/0

R2(config-if)#no shut

R2(config-if)# ip address 192.168.10.2 255.255.255.252

R2(config-if)# ipv6 address 2001:AD01:BD00::2/64

R2(config-if)# clock rate 64000

R2(config-if)#encapsulation PPP

R2(config-if)#ppp authentication chap

R2(config-if)#exit

Avatar of Asad Ijaz

Asad Ijaz

NetworkUstad's lead networking architect with CCIE certification. Specializes in CCNA exam preparation and enterprise network design. Authored 2,800+ technical guides on Cisco systems, BGP routing, and network security protocols since 2018. Picture this: I'm not just someone who writes about tech; I'm a certified expert in the field. I proudly hold the titles of Cisco Certified Network Professional (CCNP) and Cisco Certified Network Associate (CCNA). So, when I talk about networking, I'm not just whistling in the dark; I know my stuff! My website is like a treasure trove of knowledge. You'll find a plethora of articles and tutorials covering a wide range of topics related to networking and cybersecurity. It's not just a website; it's a learning hub for anyone who's eager to dive into the world of bits, bytes, and secure connections. And here's a fun fact: I'm not a lone wolf in this journey. I'm a proud member and Editor of Team NetworkUstad. Together, we're on a mission to empower people with the knowledge they need to navigate the digital landscape safely and effectively. So, if you're ready to embark on a tech-savvy adventure, stick around with me, Asad Ijaz Khattak. We're going to unravel the mysteries of technology, one article at a time!"

Related Articles

Network topology diagram showing routers R1 to R6 with link costs and three paths totaling 59, 42, and 37 for SPF protocol example

Understanding the Shortest Path First (SPF) Protocol: Link-State Routing with Dijkstra’s Algorithm

August 29, 2019
DHCPv6 Operation

DHCPv6 Operation

October 5, 2019
Detailed IPv4 packet header diagram with labeled fields: Version, TTL, Protocol, Checksum, and Source/Destination IP addresses.

Mastering the IPv4 Packet Header: Insights for 2025 Networks

June 6, 2019
DataLink and Network Layer Addresses

Master Data Link and Network Layer Addresses in 2025: A Complete Guide

May 27, 2019
A graphic representation emphasizing ‘Understanding FHRP’ with a 3D globe surrounded by networking icons, highlighting key concepts for CCNA students.

What is FHRP? – Exclusive Explanation

November 1, 2019

How to Troubleshoot Spanning-Tree Protocol

October 31, 2019
Design 103 1

Data Frame Forwarding: Master Efficient Network Switching Techniques (Updated 2025)

August 13, 2019
CCNA 200-301

CCNA 200-301 Free Exam Questions & Answers

October 17, 2021
Single Area OSPF

Introduction to OSPF Metric and Reference Bandwidth

September 1, 2019