The Challenge Handshake Authentication Protocol (CHAP) (defined in RFC 1994 ) verifies the identity of the peer by means of a three-way handshake. These are the general steps performed in CHAP: Show
This authentication method depends on a "secret" known only to the authenticator and the peer. The secret is not sent over the link. Although the authentication is only one-way, you can negotiate CHAP in both directions, with the help of the same secret set for mutual authentication. For more information on the advantages and disadvantages of CHAP, refer to RFC 1994 . PrerequisitesRequirementsReaders of this document should have knowledge of these topics:
Note: This document does not address MS-CHAP (Version 1 or Version 2). For more information on MS-CHAP, refer to the MS-CHAP Support and MSCHAP Version 2 documents. Components UsedThis document is not restricted to specific software and hardware versions. ConventionsFor more information on document conventions, see the Cisco Technical Tips Conventions. Configure CHAPThe procedure to configure CHAP is fairly straightforward. For example, assume that you have two routers, left and right, connected across a network, as shown in figure 1. Figure 1 – Two Routers Connected Across a Network
To configure CHAP authentication, complete these steps:
One-Way and Two-Way AuthenticationCHAP is defined as a one-way authentication method. However, you use CHAP in both directions to create a two-way authentication. Hence, with two-way CHAP, a separate three-way handshake is initiated by each side. In the Cisco CHAP implementation, by default, the called party must authenticate the calling party (unless authentication is completely turned off). Therefore, a one-way authentication initiated by the called party is the minimum possible authentication. However, the calling party can also verify the identity of the called party, and this results in a two-way authentication. One-way authentication is often required when you connect to non-Cisco devices. For one-way authentication, configure the ppp authentication chap callin command on the calling router. Table 1 shows when to configure the callin option. Table 1 – When to Configure the Callin Option
For more information on how to implement one-way authentication, refer to PPP Authentication Using the ppp chap hostname and ppp authentication chap callin Commands. CHAP Configuration Commands and OptionsTable 2 lists the CHAP commands and options: Table 2 – CHAP Commands and Options
Transactional ExampleThe diagrams in this section show the series of events that occur during a CHAP authentication between two routers. These do not represent the actual messages seen in the debug ppp negotiation command output. For more information, refer to Understanding debug ppp negotiation Output. CallFigure 2 – The Call Comes In
Figure 2 shows these steps:
ChallengeFigure 3 – A CHAP Challenge Packet is Built
Figure 3 illustrates these steps in the CHAP authentication between the two routers:
ResponseFigure 4 – Receipt and MD5 Processing of the Challenge Packet from the Peer
Figure 4 illustrates the how the challenge packet is received from the peer, and processed (MD5). The router processes the incoming CHAP challenge packet in this way:
Response (continued)Figure 5 – The CHAP Response Packet Sent to the Authenticator is Built.
Figure 5 illustrates how the CHAP response packet sent to the authenticator is built. This diagram shows these steps:
Verify CHAPThis section provides tips on how to verify your configuration. Figure 6 – The Challenger Processes the Response Packet
Figure 6 shows how the challenger processes the response packet. Here are the steps involved when the CHAP response packet is processed (on the authenticator):
ResultFigure 7 – Success Message is Sent to the Calling Router
Figure 7 illustrates the success message sent to the calling router. It involves these steps:
Troubleshoot CHAPRefer to Troubleshooting PPP Authentication for information on how to troubleshoot issues. Related Information |