The remote node responds with a value that is calculated using
a one-way hash function, typically message digest algorithm 5 (MD5), based on the
password and challenge message. The local router checks the response against its own
calculation of the expected hash value. If the values match, the authentication is
acknowledged. Otherwise, the connection is terminated immediately. Figure 8-19 provides
an example of CHAP authentication.
Username: santacruz
Password: boardwalk
Central-Site Router
(HQ)
Host Name: santacruz
Password: boardwalk
Remote Router
(Santa Cruz)
PAP
Two-Way Handshake
???santacruz, boardwalk???
Accept or Reject
320 Chapter 8: Extending the Network into the WAN
Figure 8-19 CHAP Authentication
CHAP provides protection against playback attack using a variable challenge value that is
unique and unpredictable. Because the challenge is unique and random, the resulting hash
value will also be unique and random. The use of repeated challenges is intended to limit
exposure to any single attack. The local router or a third-party authentication server is in
control of the frequency and timing of the challenges.
Configuring and Verifying PPP
To enable PPP encapsulation with PAP or CHAP authentication on an interface, complete
the following checklist:
?– Enable PPP encapsulation as the Layer 2 protocol of an interface.
Pages:
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476