How to Configure Challenge Handshake Authentication Protocol (CHAP)
Challenge Handshake Authentication Protocol (CHAP) periodically checks the character of the far off hub utilizing a three-way handshake. The hostname on one switch must match the username the other switch has designed. The passwords should likewise coordinate. The password value is variable and changes unpredictably while the link exists.
When the PPP link establishment phase is complete, the local router sends a challenge message to the remote node containing Challenge Handshake Authentication Protocol (CHAP) user name and a hash value that is based on the Challenge Handshake Authentication Protocol (CHAP)Password.
The remote router compares the local routers username and password in its local database and calculates hash value with the value sent from local router. The remote node then responds with a calculated value using a one way hash function, usually with Message Digest 5 (MD5) based on the password and challenge message. The figure1 illustrates the CHAP 3 way handshake.
The local router checks the reaction against its own calculation of the likely hash value. In case of value match, the initiating node acknowledges the authentication; otherwise, the initiating node immediately terminates the connection.
Challenge Handshake Authentication Protocol (CHAP) provides better protection then PAP because it protects devices from playback attacks using a variable challenge value that is unique and unpredictable. The challenge and resulted hash value are unique and random. The use of repetitive challenges limits the time of vulnerability to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.
Challenge Handshake Authentication Protocol (CHAP) Configuration
We have learnt in the previous section that CHAP periodically identifies the remote node using a three-way handshake. The hostname on one router should match the username the other router has configured. The passwords also required to match. This occurs on initial link establishment and can be repeated any time after the link has been established. The commands for configuring CHAP on R1 are the following:
Router R-1 (Local)
Router>enable
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#username R2 password Cisco
R1(config)# interface serial0/0/0
R1(config-if)#no shut
R1(config-if)# ip address 192.168.10.1 255.255.255.252
R1(config-if)# ipv6 address 2001:AD01:BD00::1/64
R1(config-if)# clock rate 64000
R1(config-if)#encapsulation PPP
R1(config-if)#ppp authentication chap
R1(config-if)#exit
Router R-2 (Remote)
Router>enable
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#username R2 password ccna12345
R2(config)# interface serial0/0/0
R2(config-if)#no shut
R2(config-if)# ip address 192.168.10.2 255.255.255.252
R2(config-if)# ipv6 address 2001:AD01:BD00::2/64
R2(config-if)# clock rate 64000
R2(config-if)#encapsulation PPP
R2(config-if)#ppp authentication chap
R2(config-if)#exit
