PPP with Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) is often used to inform the central site about the remote devices that are connected to the site.
With this authentication information, if a device or an access server receives a packet for a destination to which the router or the access switch is already connected, an additional call is not placed. However, if the router or access server is using rotaries, the device or access server sends the packet out on the correct port.
CHAP and PAP were originally specified in RFC 1334, and CHAP is updated in RFC 1994. These protocols are supported on synchronous and asynchronous serial interfaces. When using CHAP or PAP authentication, each device or access server identifies itself using a
name. This identification process prevents a device from placing another call to a device to which it is already connected and also prevents unauthorized access.
Access control using CHAP or PAP is available on all serial interfaces that use PPP encapsulation. The authentication feature reduces the risk of security violations on your device or access server. You can configure either CHAP or PAP on a serial interface.
To enable CHAP or PAP authentication on a device, the device must be running PPP encapsulation.
When CHAP is enabled on an interface and a remote device attempts to connect to it, the local device or access server sends a CHAP packet to the remote device. The CHAP packet requests or “challenges” the remote device to respond. The challenge packet consists of an ID, a random number, and the host name of the local device.
The required response consists of the following two parts:
- An encrypted version of the ID, a secret password, and a random number
- Either the hostname of the remote device or the name of the user on the remote device
When the local device or access server receives the response, it verifies the secret password by performing the same encryption operation as indicated in the response and by looking up the required hostname or username. The secret passwords must be identical on the remote device and the local device.
Because this response is sent, the password is never sent in clear text, preventing other devices from stealing it and gaining illegal access to the system. Without a proper response, the remote device cannot connect to the local device.
CHAP transactions occur only when a link is established. The local device or access server does not request a password during the rest of the call. (The local device can, however, respond to such requests from other devices during a call.)
When PAP is enabled, the remote router attempting to connect to the local device or access server is required to send an authentication request. If the username and password specified in the authentication request are accepted, Cisco software sends an authentication acknowledgment.
After you have enabled CHAP or PAP, the local router or access server requires authentication from remote devices. If the remote device does not support the enabled protocol, no traffic is passed to that device.