How to configure CHAP {Challenge-Handshake Authentication Protocol} on cisco routers


This article is all about how to configure CHAP {Challenge-Handshake Authentication Protocol} on cisco routers. In the previous article, we learn about PAP configuration on cisco routers. There is two point to point authentication protocols are present on the routers that are PAP and CHAP. But CHAP is more secure than PAP because in CHAP authentication protocol username and password are sent in encrypted form and in PAP authentication protocol username and password are sent in a plain text. So generally we use CHAP authentication protocol on routers rather than PAP for enhancing the security of your router. In this article, we also learn that what is CHAP and why we configure CHAP on routers. CHAP is an authentication protocol used by point to point protocol servers to validate the identity of the remote client. In CHAP authentication protocol we use the three-way handshake to verify a client’s identity. CHAP also sends challenges after a certain time to make sure that client has not been replaced by intruders. Generally, CHAP configured on routers because it provides protection against replay attacks by the peer through the use of an incrementally changing identifier of a variable change value. 

Chap is more secure because it requires that both the client and server know the plaintext of the secret although it is never sent password and username over the network. So we configured CHAP on routers because CHAP provides better security in comparison to PAP.

Now to understand CHAP configuration easily we take a lab in cisco packet tracer. In this lab, we take two routers having serial ports in it to configure CHAP easily on routers.

chap configuration on routers

To configure CHAP on a router first of al we assign IP address on all the interfaces of the routers and then we configure CHAP on routers. After that to verify your configuration we use ping command on the routers and verify your routing.

First of all, assign IP address on all the ports of the router using given below command

For router R1

— System Configuration Dialog —

Continue with configuration dialog? [yes/no]: no

Press RETURN to get started!

Router>enable

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname R1

R1(config)#interface Serial0/0/0

R1(config-if)#ip address 192.168.0.1 255.255.255.0

R1(config-if)#clock rate 64000

R1(config-if)#no shutdown

%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down

R1(config-if)#exit

 

For router R2

— System Configuration Dialog —

Continue with configuration dialog? [yes/no]: no

Press RETURN to get started!

Router>enable

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname R2

R2(config)#interface Serial0/0/0

R2(config-if)#ip address 192.168.0.2 255.255.255.0

R2(config-if)#no shutdown

%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up

R2(config-if)#exit

The IP address will be assigned to all the interfaces of the routers Now we configure PPP encapsulation on routers to configure CHAP on them.

 

Now to configure CHAP on routers we use given below command

For router R1

R1(config)#username R2 password rahul

R1(config)#interface serial0/0/0

R1(config-if)#encapsulation ppp

R1(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to down

R1(config-if)#ppp authentication chap

R1(config-if)#exit

 

For router R2

R2(config)#username R1 password rahul

R2(config)#interface Serial0/0/0

R2(config-if)#encapsulation ppp

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up

R2(config-if)#ppp authentication chap

R2(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up

R2(config-if)#exit

 

Now to check whether the routers communicate with each other or not we use ping command on both the routers.

For router R1

R1#ping 192.168.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/10 ms

 

For router R2

R2#ping 192.168.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/11/51 ms

 

Now to check your CHAP configuration use troubleshooting command and verify your configuration on both the routers

For router R1

R1#show interface Serial0/0/0

Serial0/0/0 is up, line protocol is up (connected)

Hardware is HD64570

Internet address is 192.168.0.1/24

MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, loopback not set, keepalive set (10 sec)

LCP Open

Open: IPCP, CDPCP

Last input never, output never, output hang never

Last clearing of “show interface” counters never

Input queue: 0/75/0 (size/max/drops); Total output drops: 0

Queueing strategy: weighted fair

Output queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations 0/0/256 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 1158 kilobits/sec

5 minute input rate 5 bits/sec, 0 packets/sec

5 minute output rate 5 bits/sec, 0 packets/sec

10 packets input, 1280 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

10 packets output, 1280 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

DCD=up DSR=up DTR=up RTS=up CTS=up

 

For router R2

R2#show interface Serial0/0/0

Serial0/0/0 is up, line protocol is up (connected)

Hardware is HD64570

Internet address is 192.168.0.2/24

MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, loopback not set, keepalive set (10 sec)

LCP Open

Open: IPCP, CDPCP

Last input never, output never, output hang never

Last clearing of “show interface” counters never

Input queue: 0/75/0 (size/max/drops); Total output drops: 0

Queueing strategy: weighted fair

Output queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations 0/0/256 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 1158 kilobits/sec

5 minute input rate 5 bits/sec, 0 packets/sec

5 minute output rate 5 bits/sec, 0 packets/sec

5 packets input, 640 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

5 packets output, 640 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

DCD=up DSR=up DTR=up RTS=up CTS=up

THAT’S IT

This is the whole process of how to configure CHAP on cisco router. If you have any queries regarding this simply solved out through the comment section and also provide feedback to us because your feedback is valuable for us.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s