PPP negotiation involves several steps such as Link Control Protocol (LCP) negotiation, Authentication, and Network Control Protocol (NCP) negotiation. If the two sides cannot agree on the correct parameters, then the connection is terminated. Once the link is established, the two sides authenticate each other using the authentication protocol decided on during LCP negotiation. Authentication must be successful prior to starting NCP negotiation.
To configure CHAP authentication, complete these steps:
- On the interface, issue the encapsulation ppp command.
- Enable the use of CHAP authentication on both routers with the ppp authentication chap command.
- Configure the usernames and passwords. To do so, issue the username username password password command, where username is the hostname of the peer. Ensure that:
- Passwords are identical at both ends.
- The router name and password are exactly the same, because they are case-sensitive.
Note: By default, the router uses its hostname to identify itself to the peer. However, this CHAP username can be changed through the ppp chap hostname command. Refer to PPP Authentication Using the ppp chap hostname and ppp authentication chap callin Commands for more information.
One-Way and Two-Way Authentication
CHAP is defined as a one-way authentication method. However, you use CHAP in both directions to create a two-way authentication. Hence, with two-way CHAP, a separate three-way handshake is initiated by each side.
In the Cisco CHAP implementation, by default, the called party must authenticate the calling party (unless authentication is completely turned off). Therefore, a one-way authentication initiated by the called party is the minimum possible authentication. However, the calling party can also verify the identity of the called party, and this results in a two-way authentication.
One-way authentication is often required when you connect to non-Cisco devices.
For one-way authentication, configure the ppp authentication chap callin command on the calling router.
Advantages of CHAP
CHAP provides protection against playback attack by using different challenge value that is unique and comes in random. Because the challenge is unique and unpredictable, the resulting hash value is also unique and random. Which makes it difficult for ‘guessing’.
The use of repeated and different challenges limits the time of exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.