Cisco CISCO876-SEC-I-K9 Configuration Guide - Page 168
PAP, CHAP, Challenge Handshake Authentication Protocol CHAP
UPC - 882658021800
View all Cisco CISCO876-SEC-I-K9 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 168 highlights
PPP Authentication Protocols Appendix B Concepts PAP CHAP PPP originally emerged as an encapsulation protocol for transporting IP traffic over point-to-point links. PPP also established a standard for the assignment and management of IP addresses, asynchronous (start/stop) and bit-oriented synchronous encapsulation, network protocol multiplexing, link configuration, link quality testing, error detection, and option negotiation for such capabilities as network-layer address negotiation and data-compression negotiation. PPP supports these functions by providing an extensible Link Control Protocol (LCP) and a family of Network Control Protocols (NCPs) to negotiate optional configuration parameters and facilities. The current implementation of PPP supports two security authentication protocols to authenticate a PPP session: • Password Authentication Protocol (PAP) • Challenge Handshake Authentication Protocol (CHAP) PPP with PAP or CHAP authentication is often used to inform the central site which remote routers are connected to it. PAP uses a two-way handshake to verify the passwords between routers. To illustrate how PAP works, imagine a network topology in which a remote office Cisco router is connected to a corporate office Cisco router. After the PPP link is established, the remote office router repeatedly sends a configured username and password until the corporate office router accepts the authentication. PAP has the following characteristics: • The password portion of the authentication is sent across the link in clear text (not scrambled or encrypted). • PAP provides no protection from playback or repeated trial-and-error attacks. • The remote office router controls the frequency and timing of the authentication attempts. CHAP uses a three-way handshake to verify passwords. To illustrate how CHAP works, imagine a network topology in which a remote office Cisco router is connected to a corporate office Cisco router. After the PPP link is established, the corporate office router sends a challenge message to the remote office router. The remote office router responds with a variable value. The corporate office router checks the response against its own calculation of the value. If the values match, the corporate office router accepts the authentication. The authentication process can be repeated any time after the link is established. CHAP has the following characteristics: • The authentication process uses a variable challenge value rather than a password. • CHAP protects against playback attack through the use of the variable challenge value, which is unique and unpredictable. Repeated challenges limit the time of exposure to any single attack. • The corporate office router controls the frequency and timing of the authentication attempts. Note We recommend using CHAP because it is the more secure of the two protocols. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide B-4 OL-5332-01