How does ppp CHAP authentication work (RFC 1994)?

PPP authentication is a bit tricky. Well, maybe just for me to understand. I had to follow the path on configured examples that have to be set on both sides. I show this in the following example and explain how both ends have to be configured.

PPP Auth

R1 is configured like this:

Hostname: R1
Alias hostname: ROUTER1
Password: secret1

username ROUTER2 password secret1
interface s0/0
encapsulation ppp
ppp authentication chap
ppp chap hostname ROUTER2

R2 is configured like this:

Hostname: R2
Alias hostname: ROUTER2
Password: secret2

username ROUTER1 password secret1
interface s0/0
encapsulation ppp
ppp authentication chap
ppp chap hostname ROUTER2

CHAP is doing a three way handshake (RFC 1994). PAP is also possible as an authentication protocol, but it’s less secure. PAP uses a two way handshake and it send’s it’s password in clear text.

So here it goes like this.

  • R1 want to connect to R2. R1 is initiating a call.
  • LCP negotiates the Authentication protocol, CHAP in this case
  • So now R2 is going to challenge R1. And it’s preparing a packet with challenge informations. This depend on his configuration. If no hostname is configured with „ppp chap hostname name„, then the hostname of the router R2 itself for the challenge is used, otherwise the configured name, in this case ROUTER2.
  • R2 is sending a challenge packet back to R1, which means, R2 asks for authentication for a certain hostname „ROUTER2“ here.
  • R1 receives the challenge and looks, if it has a local user configured matching the hostname/username ROUTER2.
  • R1 find’s the username ROUTER2 in it’s local database and the password „secret1“
  • R1 is now answering the challenge for username ROUTER2 with the configured password. But R1 uses hostname ROUTER1 in it’s answer packet to R2, because it’s configured with „ppp chap hostname ROUTER1“. Otherwise R1 would use his hostname R1 only to answer.
  • Now R2 receives the answer from R1 and looks himself into his local password database and finds a matching entry for ROUTER1 with password „secret1“. R2 compares the passwords and grants access to R1 and authentication is successfull.

Debuging PPP authentication with:

debug ppp negotiation

debug ppp authentication


Leave a Reply