Cisco Certification: Configuring CHAP on ISDN
by: Chris Bryant, CCIE #12933
Introduction To ISDN, Part IV: Configuring PPP CHAP Authentication
In part III of this ISDN tutorial, we learned that PPP has two main methods
of authentication that Cisco certification candidates need to know how to
configure: PAP and CHAP.
PAP has very few advantages over CHAP. PAP passwords are carried over the
line in clear text, which in today’s world is a very bad idea. PAP
configuration also requires additional configuration with the “ppp pap
sent-username” command, so anyone who can see your running configuration can
also see the PAP password.
The only advantage PAP has over CHAP is a slim one. With PAP, a different
password can be used by the each of the routers involved in the authentication.
CHAP requires that the password be the same. Why? We’ll see as we examine
The First Step to Configuring CHAP
CHAP requires you to configure a username / password combination for any
remote device that will be involved in authentication. (We’re assuming that
the routers have already been configured with their names via the global
hostname command.) Both routers will use the password CISCO.
username R3 password CISCO
ppp authentication chap
username R1 password CISCO
ppp authentication chap
Why CHAP Authentication Requires The Same Password On Both Routers
Remember how PAP sends the password over the line in clear-text? CHAP does
not actually send the password over the line at all. Instead, CHAP runs a hash
algorithm using the password and a random number. It is the result of this hash
that is passed over the link. The remote router receives the hash result, and
runs the exact same algorithm. If the result is the same, the authentication
attempt will be successful. If the result is different, the authentication will
fail. For this reason, the passwords must be the same.
The random number is just that – random. It cannot be configured at the
Note that there is no “sent-password” command, as we had to use with
Debug The Connection If Authentication Fails
Since two passwords are involved, the chances of one of the passwords being
mistyped doubles. If you configure CHAP and the link dials but drops almost
immediately, there’s an authentication problem. Run debug ppp negotiation and
attempt to dial the line again. The output of this particular debug will show
you where the problem is.
Here, we’ll run debug ppp negotiation to see what a successful CHAP
authentication looks like:
Examining the CHAP authentication process with “debug ppp negotiation”.
R3#debug ppp negotiation
PPP protocol negotiation debugging is on
BR0:1 PPP: Phase is AUTHENTICATING, by both
BR0:1 CHAP: O CHALLENGE id 1 len 23 from "R3"
BR0:1 CHAP: I CHALLENGE id 1 len 23 from "R1"
BR0:1 CHAP: O RESPONSE id 1 len 23 from "R3"
BR0:1 CHAP: I SUCCESS id 1 len 4
BR0:1 CHAP: I RESPONSE id 1 len 23 from "R1"
BR0:1 CHAP: O SUCCESS id 1 len 4
The output of debug ppp negotiation with CHAP is different that the output
of the same command when PAP is run. Remember that CHAP stands for Challenge
Handshake Authentication Protocol, and by running this vital debug, you can see
the challenges being made, responded to, and the success or failure of the
Another important ISDN command, show dialer, tells us that the ISDN link is
up, what the source and destination packet was that brought it up
(“interesting traffic”), the time until disconnect, and what phone number
it’s connected to.
It’s important to remember that while by default, any traffic can cross
the link once it’s up, only interesting traffic resets the idle-timer.
In the next section of my ISDN tutorial, we’ll look at some common ISDN
configuration problems, how to debug them, and how to solve them.
To your success,
About The Author
Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage. The
Bryant Advantage's website offers FREE ebooks and tutorials for the CCNA
and CCNP exams, FREE subscriptions to "Cisco Certification
Central", and sells the best CCNA and CCNP prep courses and books
on the market today. Visit his site at www.thebryantadvantage.com