The procedure to configure CHAP is fairly straightforward. For example, assume that you have two routers, left and right, connected across a network, as shown in figure 1.
To configure CHAP authentication, complete these steps:
1. On the interface, issue the encapsulation ppp command.
2. Enable the use of CHAP authentication on both routers with the ppp authentication chap command.
3. Configure the usernames and passwords. To do so, issue the username username password password command, where username is the hostname of the peer. Ensure that:
o Passwords are identical at both ends.
o The router name and password are exactly the same, because they are case-sensitive.
Note: By default, the router uses its hostname to identify itself to the peer. However, this CHAP username can be changed through the ppp chap hostname command. Refer to PPP Authentication Using the ppp chap hostname and ppp authentication chap callin Commands for more information.
CHAP is defined as a one-way authentication method. However, you use CHAP in both directions to create a two-way authentication. Hence, with two-way CHAP, a separate three-way handshake is initiated by each side.
In the Cisco CHAP implementation, by default, the called party must authenticate the calling party (unless authentication is completely turned off). Therefore, a one-way authentication initiated by the called party is the minimum possible authentication. However, the calling party can also verify the identity of the called party, and this results in a two-way authentication.
One-way authentication is often required when you connect to non-Cisco devices.
For one-way authentication, configure the ppp authentication chap callin command on the calling router
one-way PAP authentication
R1 (config) # int s1 / 0
r1 (config-if) # encapsulation ppp
r1 (config-if) # ppp authentication pap / realize PPP using PAP authentication
R2 (config) # int s1 / 0
R2 (config-if) # encapsulation ppp
r2 (config-if) # ppp pap sent-username r2 password 123 / Send authentication information
II: two-way PAP authentication
R1 (config) # int s1 / 0
R1 (config-if) # encapsulation ppp
R1 (config-if) # ppp authentication pap
r1 (config-if) # ppp pap sent-username r1 password 321 / attention at this time to send the password
R2 (config) # username r1 password 321
R2 (config) # int s1 / 0
R2 (config-if) # encapsulation ppp
R2 (config-if) # ppp authentication pap
r2 (config-if) # ppp pap sent-username r2 password 123 / attention at this time to send the password
III: to configure a one-way CHAP authentication.
R1 (config) # username r2 password 123
R1 (config) # int s1 / 0
R1 (config-if) # encapsulation ppp
R1 (config-if) # ppp authentication chap
R2 (config) # int s1 / 0
R2 (config-if) # encapsulation ppp
R2 (config-if) # ppp chap hostname r2
R2 (config-if) # ppp chap password 123
IV: two-way configuration CHAP authentication.
R1 (config) # int s1 / 0
R1 (config-if) # encapsulation ppp
R1 (config-if) # ppp authentication chap
R2 (config-if) # username r1 password 123
R2 (config) # int s1 / 0
R2 (config-if) # encapsulation ppp
R2 (config-if) # ppp authentication chap
Configure AUTHENTICATION
conf t
Address the interfaces.
Router A:
interface FastEthernet 0/0
ip address 10.1.1.1 255.255.255.0
interface serial 0/0
ip address 192.168.0.1 255.255.255.252
Router B:
interface FastEthernet 0/0
ip address 10.1.1.2 255.255.255.0
interface serial 0/0
ip address 192.168.0.2 255.255.255.252
Configure RIP (same on both routers):
router rip
network 10.0.0.0
network 192.168.0.0
version 2
Then, create keychains in both routers.
Router A:
key chain rtrA
key 1
key-string 123
exit
key 2
key-string abc
Router B:
key chain rtrB
key 1
key-string 123
exit
key 2
key-string abc
Now, configure authentication.
Router A:
interface serial 0/0
ip rip authentication mode md5
ip rip authentication key-chain rtrA
Router B:
interface serial 0/0
ip rip authentication mode md5
ip rip authentication key-chain rtrB
Now the routers should be verifying the MD5 hash of RIP routing update packets, dropping any that do not pass the verification.
For compatibility, the “ip rip authentication mode md5″ can be omitted, which will cause authentication to occur with plain text.