PPP: What is CHAP? Explained with Examples

By | 14th November 2015

Challenge Handshake Authentication Protocol (CHAP)

Challenge Handshake Authentication Protocol (CHAP) is more secure than PAP. It involves a three-way exchange of a shared secret. During link establishment, CHAP conducts periodic challenges to make sure that the remote host still has a valid password value.

While PAP basically stops working once authentication is established, this leaves the network vulnerable to attack.

How CHAP Works

After the PPP link encapsulation phase is complete, the local router sends a challenge message to the remote host.

The remote host sends a response with a value calculated using a one-way hash function, which is normally Message Digest 5 (MD5) based on the password and challenge message.

The local router checks the response from the remote host against its own calculation of the expected hash value. If there is a match, the initiating host acknowledges the authentication. If the values don’t match, it immediately terminates the connection.


CHAP provides protection against playback attack by using different challenge value that is unique and comes in random. Because the challenge is unique and unpredictable, the resulting hash value is also unique and random. Which makes it difficult for ‘guessing’.

 The use of repeated and different challenges limits the time of exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.


You can enable either PAP or CHAP or both on a network. If both authentications are enabled, PAP is requested during link negotiation. If the network device suggests using CHAP or simply refuses the first method, the second method is tried. Some remote devices support CHAP only and some PAP only. It is highly recommended to use both on Cisco router for maximum data security.

PAP usernames and passwords are sent as clear-text strings and can be intercepted and reused. CHAP has eliminated most of the known security holes


The Branch Router initiates the 3-way handshake and sends a challenge message to router HQ HQ response to Branch’s CHAP challenge by sending its username and password. Branch checks HQ’s username and password in it are a local database for a possible match, if there is a match, it accepts the connection. If not, it rejects.


Remote Office router

RO#config t

RO(config-if)#username HQ password orbit

RO(config-if)#encapsulation ppp

RO(config-if)# ppp authentication chap


 HQ router

HQ#config t

HQ(config-if)#username RO password orbit

HQ(config-if)#encapsulation ppp

RO(config-if)# ppp authentication chap



Leave a Reply

Your email address will not be published. Required fields are marked *