Unlike PAP, CHAP does not actually send a password over the line. Instead, a hash value made up of the password and magic number is sent. Unless the hash matches from both authenticating parties, authentication is not successful.

By default, the router sends it's hostname for authentication when using chap. The router on the other side does a lookup in its local database, radius server, or tacacs server, and finds the password that is paired with that username. If there is no matching username in the database, the password specified with the interface level command 'ppp chap password' is used as the default password.

Suppose you have a central office that has many remote clients dialing into it. If you don't want to create an entry in the user database for each remote client, you can just specify a default password with 'ppp chap password'. As long as the remote clients have an entry for the central site in their user database, authentication will be successful.

Brian McGahan, CCIE #8593, CCDE #2013::13
About Brian McGahan, CCIE #8593, CCDE #2013::13

At the age of 20, Brian McGahan earned his first CCIE in Routing & Switching, and became known as the “youngest engineer in the world.” He continued on to earn CCIE certifications in Security, Service Provider, and Data Center. Brian has developed and taught for INE since 2002, setting the bar for CCIE training and helping thousands of engineers obtain their own certifications--we’re proud to have such an accomplished and driven instructor on the INE team. When he is not developing new products for INE, he consults with large ISPs and enterprise customers. You may contact Brian McGahan at or find him helping others in INE’s IEOC Community Forum.

Subscribe to INE Blog Updates

New Blog Posts!