Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

PPP Challenge Handshake Authentication Protocol

PPP Challenge Handshake Authentication Protocol

For interfaces with PPP encapsulation, you can configure interfaces to support the PPP Challenge Handshake Authentication Protocol (CHAP), as defined in RFC 1994, PPP Challenge Handshake Authentication Protocol (CHAP). When you enable CHAP on an interface, the interface can authenticate its peer and can be authenticated by its peer. By default, PPP CHAP is disabled. If CHAP is not explicitly enabled, the interface makes no CHAP challenges and denies all incoming CHAP challenges. To enable CHAP, you must create an access profile, and you must configure the interfaces to use CHAP.

CHAP allows each end of a PPP link to authenticate its peer, as defined in RFC 1994. The authenticator sends its peer a randomly-generated challenge that the peer must encrypt using a one-way hash; the peer must then respond with that encrypted result. The key to the hash is a secret known only to the authenticator and authenticated. When the response is received, the authenticator compares its calculated result with the peer’s response. If they match, the peer is authenticated.

Each end of the link identifies itself to its peer by including its name in the CHAP challenge and response packets it sends to the peer. This name defaults to the local hostname, or you can explicitly set it using the local-name option. When a host receives a CHAP challenge or CHAP response packet on a particular interface, it uses the peer identity to look up the CHAP secret key to use.

Configuring the PPP Challenge Handshake Authentication Protocol

To enable CHAP, you must create an access profile, and you must configure the interfaces to use PAP.

Definitions:

  • profile is the mapping between peer identifiers and CHAP secret keys. The identity of the peer contained in the CHAP challenge or response queries the profile for the secret key to use.

  • client is the peer identity.

  • chap-secret is the secret key associated with that peer.

  1. To create an access profile, include the profile statement at the [edit access] hierarchy level:

  2. To identify the peer and the secret key associated with that peer, include the client statement at the [edit access profile profile-name] hierarchy level:

You can configure multiple CHAP profiles, and configure multiple clients for each profile. For more information on how to configure access profile, see Configuring Access Profiles for L2TP or PPP Parameters.

When you configure an interface to use CHAP, you must assign an access profile to the interface. When an interface receives CHAP challenges and responses, the access profile in the packet is used to look up the shared secret, as defined in RFC 1994. If no matching access profile is found for the CHAP challenge that was received by the interface, the optionally configured default CHAP secret is used. The default CHAP secret is useful if the CHAP name of the peer is unknown, or if the CHAP name changes during PPP link negotiation.

To configure the PPP CHAP, on each physical interface with PPP encapsulation, perform the following steps.

  1. To assign an access profile to an interface, include the access-profile statement at the [edit interfaces interface-name ppp-options chap] hierarchy level.
    Note:

    You must include the access-profile statement when you configure the CHAP authentication method. If an interface receives a CHAP challenge or response from a peer that is not in the applied access profile, the link is immediately dropped unless a default CHAP secret has been configured.

  2. The default CHAP secret is used when no matching CHAP access profile exists, or if the CHAP name changes during PPP link negotiation. To configure a default CHAP secret for an interface, include the default-chap-secret statement at the [edit interfaces interface-name ppp-options chap] hierarchy level.
  3. To configure the name the interface uses in CHAP challenge and response packets, include the local-name statement at the [edit interfaces interface-name ppp-options chap] hierarchy level:
    Note:
    • The local name is any string from 1 through 32 characters in length, starting with an alphanumeric or underscore character, and including only the following characters:

    • By default, when CHAP is enabled on an interface, the interface uses the router’s system hostname as the name sent in CHAP challenge and response packets.

  4. You can configure the interface not to challenge its peer, and only respond when challenged. To configure the interface not to challenge its peer, include the passive statement at the [edit interfaces interface-name ppp-options chap] hierarchy level:
    Note:

    By default, when CHAP is enabled on an interface, the interface always challenges its peer and responds to challenges from its peer.

Displaying the Configured PPP Challenge Handshake Authentication Protocol

Purpose

To display the configured PPP CHAP at the [edit access] and [edit interfaces] hierarchy levels.

  • Access profile—pe-A-ppp-clients

  • default CHAP secret data—"$ABC123"

  • hostname for the CHAP challenge and response packets—"pe-A-so-1/1/1"

  • Interface—so-1/1/2

Action

  • Run the show command at the [edit access] hierarchy level.

  • Run the show command at the [edit interfaces s0-1/1/2] hierarchy level.

Meaning

The configured CHAP and its associated set options are displayed as expected.

Example: Configuring PPP CHAP

Configuration

CLI Quick Configuration