PPP Authentication: CHAP

PPP Authentication: CHAP

The Challenge Handshake Authentication Protocol (CHAP) (protocol value= 0xC223) is used to verify the identity of the peer using a 3-way handshake. After the Link Establishment Phase is complete, the authenticator sends a "Challenge" message to the peer containing a value. The peer responds with a "Response" message containing a hash-value obtained after performing MD5 on the value sent in the Challenge message. The authenticator also calculates a hash-value of the value sent in the Challenge message and expects a similar value from the peer. If the values match, the authenticator sends a "Success" message otherwise sends a "Failure" message.

A CHAP packet is encapsulated in the Information field of the PPP frame. The protocol value is set to 0xC223.

A Challenge packet is used to begin the CHAP. The Challenge packets are sent during the Authentication Phase and NCP phase. An authenticator sends Challenge packets until a response is received from the peer. A Challenge packet is also sent to ensure that the connection has not been altered.

The Challenge packet has a Value field which contains a variable stream of octets (a random value). The Challenge packet also has a Name field which contains the hostname of the router transmitting the packet.

The Response packet is used to respond to Challenge packets. The Response packet is created as follows-

1. The Identifier value and the random value of Value field of Challenge packet are fed to the MD5 generator.
2. The Name field of Challenge packet is looked up for the password. The router looks up for an entry that matches the username in the Name field of the Challenge packet and gets the password.
3. This password is fed into the MD5 hash generator.

This generates a one-way hash value and set in the Value field of the Response packet which is sent back to the authenticator. The Name field of the Response packet is set to the hostname of the peer router.

The authenticator also performs MD5 hash-function for the Identifier value and the random value it sent in the Challenge packet and generates a hash-value using the password by looking up the entry on the router for the username in the Name field of the Response packet. It expects a similar value from the peer.

The authenticator sends a Success packet if the values match; otherwise, it sends a Failure packet to the peer.

The following diagram shows the exchange of CHAP packets between two routers. It shows only one-way authentication, however, two-way authentication would follow similarly with all CHAP packets transmitted in both direction.

Configuring PPP CHAP Authentication:

PPP CHAP authentication is configured using ppp authentication chap interface configuration command.

PPP CHAP configuration

R1 router:

username R2 password 0 cisco123

!

interface serial 0/0

 ip address 10.1.1.1 255.255.255.0

 encapsulation ppp

 ppp authentication chap

!

R2 router:

username R1 password 0 cisco123

!

interface serial 0/0

 ip address 10.1.1.2 255.255.255.0

 encapsulation ppp

 ppp authentication chap

!

The following output shows CHAP packet exchange between R1 & R2 routers. It shows that R1 sends Challenge packet to R2 and it also receives a Challenge packet from R2. R1 then sends out a Response packet in reply to R2. Similarly, R2 sends a Response packet back to R1. Finally, R1 and R2 send out Success messages.

debug ppp authentication

00:04:11.987: Se0/0 CHAP: O CHALLENGE id 1 len 23 from "R1"

00:04:11.987: Se0/0 CHAP: I CHALLENGE id 1 len 23 from "R2"

00:04:12.039: Se0/0 CHAP: I RESPONSE id 1 len 23 from "R2"

00:04:12.043: Se0/0 CHAP: Using hostname from unknown source

00:04:12.043: Se0/0 CHAP: Using password from AAA

00:04:12.043: Se0/0 CHAP: O RESPONSE id 1 len 23 from "R1"

00:04:12.051: Se0/0 PPP: Sent CHAP LOGIN Request

00:04:12.055: Se0/0 PPP: Received LOGIN Response PASS

00:04:12.063: Se0/0 PPP: Sent LCP AUTHOR Request

00:04:12.067: Se0/0 PPP: Sent IPCP AUTHOR Request

00:04:12.067: Se0/0 CHAP: I SUCCESS id 1 len 4

00:04:12.075: Se0/0 LCP: Received AAA AUTHOR Response PASS

00:04:12.075: Se0/0 IPCP: Received AAA AUTHOR Response PASS

00:04:12.079: Se0/0 CHAP: O SUCCESS id 1 len 4

The following packet capture shows a sample Challenge packet.

The following output shows a sample packet capture of CHAP Response packet in reply to Challenge packet.

The following output shows a sample packet capture of CHAP Success message.