|
CHAP is used at the startup of a link and periodically verifies the
identity of the remote node using a three-way handshake. CHAP is
performed upon initial link establishment and is repeated during the
time the link is established.
After the PPP link establishment phase is complete, the local router
sends a "challenge" message to the remote node.
 The remote
node responds with a value calculated using a one-way hash function,
which is typically Message Digest 5 (MD5). This response is based on
the password and challenge message.
 The local
router checks the response against its own calculation of the expected
hash value. If the values match, the authentication is acknowledged,
otherwise the connection is immediately terminated.
CHAP provides protection against playback attack through the use of a
variable challenge value that is unique and unpredictable. Since the
challenge is unique and random, the resulting hash value will also be
unique and random. The use of repeated challenges is intended to limit
the time of exposure to any single attack. The local router or a
third-party authentication server is in control of the frequency and
timing of the challenges.
| |
Lab Activity
e-Lab Activity:
ppp chap hostname hostname
In this activity, the student will demonstrate how to use
the
ppp chap hostname hostname
command to create a pool of dialup routers.
|
|
|
Web Links