When a device receives an inbound PPP connection request, it will challenge the initiating device with either a
ppp authentication chap or a
ppp authentication chap callin The difference is that when the
callin keyword is used, the initiating router doesn’t challenge the router it is connecting to. In other words, the
callin keyword asks the router being connected to to authenticate itself.
Cisco actually has an excellent explanation:
When two devices normally use CHAP authentication, each side sends out a challenge to which the other side responds and is authenticated by the challenger. Each sides authenticates one another independently. If you want to operate with non-Cisco routers that do not support authentication by the calling router or device, you must use the ppp authentication chap callin command. When using the ppp authentication command with the callin keyword, the Access Server will only authenticate the remote device if the remote device initiated the call (for example, if the remote device “called in”). In this case, authentication is specified on incoming (received) calls only.
This was taken from this Cisco documentation.
I hope this has been helpful!