What is PPP? : What is CHAP ? Explanation with Examples

By | 9th November 2015

Challenge Handshake Authentication Protocol (CHAP).

Challenge Handshake Authentication Protocol (CHAP) is more secure than PAP. It involves a three-way exchange of a shared secret. During link establishment, CHAP conducts periodic challenges to make sure that the remote host still has a valid password value. While PAP basically stops working once authentication is established, this leaves the network vulnerable to attack.

How CHAP Works
After the PPP link encapsulation phase is complete, the local router sends a challenge message to the remote host.

The remote host sends a response with a value calculated using a one-way hash function, which is normally Message Digest 5 (MD5) based on the password and challenge message.

The local router checks the response from the remote host against its own calculation of the expected hash value. If there is a match, the initiating host acknowledges the authentication. If the values don’t match, it immediately terminates the connection.

Advantages of CHAP
CHAP provides protection against playback attack by using different challenge value that is unique and comes in random. Because the challenge is unique and unpredictable, the resulting hash value is also unique and random. Which makes it difficult for ‘guessing’.

The use of repeated and different challenges limits the time of exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.


You can enable either PAP or CHAP or both on a network. If both authentications are enabled, PAP is requested during link negotiation. If the network device suggests using CHAP or simply refuses the first method, then the second method is tried.

Some remote devices support CHAP only and some PAP only. It is highly recommended to use both on Cisco router for maximum data security.

PAP usernames and passwords are sent as clear-text strings and can be intercepted and reused. CHAP has eliminated most of the known security holes.

Challenge Handshake Authentication Protocol (CHAP).

The Branch Router initiates the 3-way handshake and sends a challenge message to router HQ HQ response to Branch’s CHAP challenge by sending its username and password. Branch checks HQ’s username and password in it’s local database for a possible match, if there is a match, it accepts the connection. If not, it rejects.

How to Configure CHAP Authentication

The process outlined below shows how to configure PPP encapsulation and PAP/CHAP authentication protocols.
CHAP periodically verifies the identity of the remote host using a three-way handshake. The hostname and passwords must match on both router


Remote Office router

RO#config t
RO(config-if)#username HQ password orbit
RO(config-if)#encapsulation ppp
RO(config-if)# ppp authentication chap

HQ router

HQ#config t
HQ(config-if)#username RO password orbit
HQ(config-if)#encapsulation ppp
RO(config-if)# ppp authentication chap

Leave a Reply

Your email address will not be published. Required fields are marked *