CHAP Configuration

CHAP (Challenge Handshake Authentication Protocol)

Hi everyone today we are going to learn about CHAP and its configuration.

What is a CHAP and its working purpose ?

CHAP provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plain-text of the secret, although it is never sent over the network. The MS-CHAP variant does not require either peer to know the plain-text, but has been broken. Thus, CHAP provides better security as compared to Password Authentication Protocol (PAP).

CHAP Working

CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link (LCP), and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password).

1. After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.
2. The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined.
3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.
4. At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.

Another feature of CHAP is that it doesn't only require the client to authenticate itself at startup time, but sends challenges at regular intervals to make sure the client hasn't been replaced by an intruder, for instance by just switching phone lines.

Let us apply the following CHAP topology which is given below ;

Now Let us apply IP addresses on the interfaces and change the state of the interface from down to UP. So that they can communicate.

Router R1

Similarly for Serial2/0 interfaces and FastEthernet0/0. 

And open the IP configuration on PC0 to assign IP address.

Then we should IP configuration on Router R2.

Now, we can know that both PCs are attached but cannot communicate until we apply a routing mechanism. In this case we are applying the RIPv2 protocol. 

By Applying the following set of commands on both routers. We should also set the hostname of the two routers which will be useful to us later.

In Router R2 also we have to set commands to communicate.

Thus, we can communicate with both PCs.

Now, we will be setting the authentication, In this tutorial we are going to apply CHAP(Challenge Handshake Authentication Protocol) on both the routers R1 and R2.

Router R1

As we set the authentication on Router R1 the communication is disabled. So that we have to set command on Router R2 to authenticate CHAP to change state up.

Therefore, we have successfully completed our CHAP configuration with the Packet tracer version 7.0.