Dec
26

Unlike PAP, CHAP does not actually send a password over the line. Instead, a hash value made up of the password and magic number is sent. Unless the hash matches from both authenticating parties, authentication is not successful.


By default, the router sends it’s hostname for authentication when using chap. The router on the other side does a lookup in its local database, radius server, or tacacs server, and finds the password that is paired with that username. If there is no matching username in the database, the password specified with the interface level command ‘ppp chap password’ is used as the default password.


Suppose you have a central office that has many remote clients dialing into it. If you don’t want to create an entry in the user database for each remote client, you can just specify a default password with ‘ppp chap password’. As long as the remote clients have an entry for the central site in their user database, authentication will be successful.

About Brian McGahan, CCIE #8593, CCDE #2013::13:

Brian McGahan was one of the youngest engineers in the world to obtain the CCIE, having achieved his first CCIE in Routing & Switching at the age of 20 in 2002. Brian has been teaching and developing CCIE training courses for over 10 years, and has assisted thousands of engineers in obtaining their CCIE certification. When not teaching or developing new products Brian consults with large ISPs and enterprise customers in the midwest region of the United States.

Find all posts by Brian McGahan, CCIE #8593, CCDE #2013::13 | Visit Website


You can leave a response, or trackback from your own site.

4 Responses to “How does the “ppp chap password” command work?”

 
  1. markos says:

    I have just tried it and have some problems. I disabled all users (no username commands) and set only passwords on both sides of ppp connection (i.e. interface serial 0/0; encapsulation ppp; ppp authentication chap; ppp chap password cisco;). Unfortunately get no connection? Could you tell me how I can repair it? Thank you!

  2. george says:

    “If there is no matching username in the database, the password specified with the interface level command ‘ppp chap password’ is used as the default password.”

    THIS IS WRONG!!!
    if it can’t find a username, authentication will fail. I have double checked it. That’s not the way that ppp chap password works.

  3. The command is only for the CHAP response, not the request. Here’s an example of a working config with it:

    R1:
    hostname R1
    !
    interface Serial0/1
    ip address 10.0.0.1 255.255.255.0
    encapsulation ppp
    ppp chap password CISCO

    R3:
    username R1 password CISCO
    !
    interface Serial1/2
    ip address 10.0.0.3 255.255.255.0
    clock rate 64000
    encapsulation ppp
    ppp authentication chap

  4. Shiferd says:

    The drift is Brian is talking unidirectional chap authentication while Markos and George bidirectional chap authentication

 

Leave a Reply

Categories

CCIE Bloggers