Challenge Handshake Authentication Protocol (CHAP) is a Point-to-point protocol (PPP) authentication protocol developed by IETF (Internet Engineering Task Force). It is used at the initial startup of the link. Also, it performs periodic checkups to check if the router is still communicating with the same host.
- It uses 3-way handshaking protocol (not like TCP). First, the authenticator sends a challenge packet to the peer then, the peer responds with a value using its one way hash function. The authenticator then matches the received value with its own calculated hash value. If the values match then the authentication is acknowledged otherwise, the connection will be terminated.
- It uses one-way hash function called MD5.
- It also authenticates periodically to check if the communication is taking place with the same device or not.
- Also, it provides more security than PAP (Password Authentication Procedure) as the value used (find out by hash function) is changed variably.
- CHAP requires to know the plaintext of the secret as it is never sent over the network.
CHAP packets :
There are 4 types of CHAP packets –
- Challenge packet : It is a packet sent, by the authenticator to peer, at the starting of the CHAP 3-way Handshake. Challenge packet is also sent periodically to check if the connection is not altered. It contains Identifier value, value field which contains random value and also contains name field which contains name of the authenticator. The name field is used for password look up. The name field is also fed to MD5 hash generator and a one-way hash value is generated.
- Response Packet : It is used to response to the challenge packet. It contains the Value field which contains one-way hash value generated, identifier value and the name field. The Name field of the Response packet is set to the hostname of the peer router. Now, the Name field of Challenge packet is looked up for the password. The router looks up for an entry that matches the username in the Name field of the Challenge packet and gets the password. Then, this password is hashed by feeding it to MD5 hash generator and one way hash value is generated. This value is inserted into the value field of response packet and sent to the authenticator.
- Success packet : Now, the authenticator also performs the same thing by looking up in name field (if it has an entry for that username) of the response packet and by using that it generates a hash value. If the value generated is same as that of peer then the success packet is send.
- Failure packet : If the generated value is different then the failure packet is send to the peer.
There is a small topology with 2-routers, namely Router1 and Router2. Router1 having IP address 10.1.1.1/30 on s0/0 and Router2 have IP address 10.1.1.2/30 on s0/0. Remember, by default HDLC is configured on Cisco routers therfore, first change the encapsulation to PPP.
Configure R1 :
Router1(config)# int s0/0 Router1(config-if)# encapsulation ppp
Configure R2 :
Router2(config)# int s0/0 Router2(config-if)# encapsulation ppp
Change hostname of both routers.
Router1(config)# hostname R1 Router2(config)# hostname R2
Provide username and password one by one.
R1(config)# username R2 password GeeksforGeeks
R2(config)# username R1 password GeeksforGeeks
Notice that username and password are case-sensitive. Also, on router R1, we have to give username of other router i.e R2 and vice-versa.