Unlike PAP, CHAP does not actually send a password over the line. Instead, a hash value made up of the password and magic number is sent. Unless the hash matches from both authenticating parties, authentication is not successful.
About Brian McGahan, CCIE #8593:
Brian McGahan was one of the youngest engineers in the world to obtain the CCIE, having achieved his first CCIE in Routing & Switching at the age of 20 in 2002. Brian has been teaching and developing CCIE training courses for over 8 years, and has assisted thousands of engineers in obtaining their CCIE certification. When not teaching or developing new products Brian consults with large ISPs and enterprise customers in the midwest region of the United States.
You can leave a response, or trackback from your own site.
4 Responses to “How does the “ppp chap password” command work?”
Leave a Reply
I have just tried it and have some problems. I disabled all users (no username commands) and set only passwords on both sides of ppp connection (i.e. interface serial 0/0; encapsulation ppp; ppp authentication chap; ppp chap password cisco;). Unfortunately get no connection? Could you tell me how I can repair it? Thank you!
“If there is no matching username in the database, the password specified with the interface level command ‘ppp chap password’ is used as the default password.”
THIS IS WRONG!!!
if it can’t find a username, authentication will fail. I have double checked it. That’s not the way that ppp chap password works.
The command is only for the CHAP response, not the request. Here’s an example of a working config with it:
R1:
hostname R1
!
interface Serial0/1
ip address 10.0.0.1 255.255.255.0
encapsulation ppp
ppp chap password CISCO
R3:
username R1 password CISCO
!
interface Serial1/2
ip address 10.0.0.3 255.255.255.0
clock rate 64000
encapsulation ppp
ppp authentication chap
The drift is Brian is talking unidirectional chap authentication while Markos and George bidirectional chap authentication