Introduction to PPP on Cisco IOS Router

Hello G,

In short, no – its not a hash. Challenge contains pseudo randomly generated number. Cisco routers are randomly generating 128 bit number, so it may be missleading because MD5 hash also has 128bits, but this value in challenge frame is just a random number.

This is correct, when you configure “ppp authentication chap” on interface, router starts to send challenge frames out of this interface every 2 seconds. Each challenge frame has increased sequence number and new generated random number (128 bit random number in case of Cisco). The command “ppp authentication chap” tells the router to authenticate the other end of link with CHAP.
On the other hand with PAP and command “ppp authentication pap” we are telling the router to authenticate device on the other end of line with PAP, thus we are requiring PAP from him. In case of PAP, the device, that wants to be authenticated has to generage ppp pap frame and include its credentials in it.

You should edit your pencil notes in the book for CHAP:

  • (1) Challenge! Contains [code = 0x01; sequence ID; random#; challenger name]
  • (2) Response! Contains [code = 0x02; sequence ID; hash; responder name], hash value here is based on [sequence ID; password; random# from Challenge!], the order matters here.
  • (3) Success or Failure! Contains [code; sequence ID]. Code for Success is 0x03, for Failure 0x04, sequence ID is copied from response frame.

Whole 3-way CHAP handshake has same sequence ID in all 3 frames.
You should erase “undoes hash” pencil note. The whole hashing mechanisms are based on the fact that hashing is NOT reversible process. Once we are able to reverse hashing process then the hashing algorithm is no more considered secure. MD5 is not considered secure since 2012.
What router that receives chap response does is that he generates his own MD5 hash based on data from received response [sequence ID; password for reponder name in local database; random# generated for this sequence ID], compares generated MD5 hash with hash received in chap Response, if it is same = Success, if it is different = Failure.

It may be confusing to understand it just from text so for better imagination there is a small lab.
ppp%20authentication
Lets say we want Router1 to authenticate Router2 using CHAP and Router2 wants to authenticate Router1 using PAP.

We start with CHAP. Router1 requires CHAP authentication from Router2.

Router1(config)# interface s1/0
Router1(config-if)# ppp authentication chap

CHAP verifies the identity of the peer using a three-way handshake (means there are 3 frames between peers in total for authentication). Right after PPP LCP is Open and CHAP+MD5 is negotiated for authentication between endpoint devices, following 3 messages happens:

Challenge (message 1, generated by Router1)
Device that requires authenticaion on interface generates challenge message and sends it to the peer.
This challenge message is generated every 2 seconds and contains:

  • 01: challenge frame type identifier code. Challenge has always code 1.
  • ID: sequentially increasing number that identifies the challenge.
  • random: 16 byte pseudo random number generated by the challenger (CHAP requiring device).
  • device name = name of the challenger (CHAP requiring device, in our case Router1).

Response (message 2, generated by Router2)
Device that receives challenge (its the device that has to authenticate). First it has to figure what password to use for authentication.
It can identify required password in two ways.

  • Use specific, manually configured password (by using ppp chap password).
  • Username lookup. If specific username and password, that have to be send are not configured, then device is going to look for “device name” (value received in challenge frame, in our case “Router1”) in its local username database and use password that is associated with that username. As you have this example in Networklessons article Im going to use specific username/password configuration.

Configure specific username and password for CHAP reponse.

Router2(config)# int s1/1                    
Router2(config-if)# ppp chap hostname CHAPclient
Router2(config-if)# ppp chap password CHAPpassword

Now responding device is going to start building string from [ID, configured password, received random#], this string is used as input for MD5 hashing algorithm and final output of hashing algorithm is hash, that is send in response frame.
Response frame has this format.

  • 02: reponse frame type identifier. Response has always code 02.
  • ID: this value is copied from ID field of challenge frame, thus its same to identify each other.
  • hash: contains MD5 hashed value of generated string
  • device name = name of the responding device (in our case CHAPclient, because it was configured to send).

Result (message 3, generated by Router1)
In case authentication fails, a CHAP failure frame is generated and contains:

  • 04: failure identifier. Always code 04.
  • ID: copied from the response frame.

In case we configure username and password for our client.

Router1(config)# username CHAPclient password 0 CHAPpassword
Router1(config)# username CHAPclient autocommand logout

Authentication passes, Success message is generated:

  • 03: success frame identifier. Always code 03.
  • ID: copied from the response frame.

With PAP its pretty straightforward, We want Router2 to authenticate Router1 using PAP, thus we have to create credentials for Router1, just configure username and password.

Router2(config)# username PAPclient password PAPpassword
Router2(config)# username PAPclient autocommand logout
Router2(config)# interface s1/1
Router2(config-if)# ppp authentication pap
Router2(config-if)# end

Right now, Router2 is not doing anything to authenticate Router1, its waiting for Router1 to send its credentials.
Configure Router1 to invoke sending of PAP credentials.

Router1(config)# interface s1/0
Router1(config-if)# ppp pap sent-username PAPclient password PAPpassword
Router1(config-if)# end

Right now are interfaces in up/up state.
PAP is using just 2-way handshake (means there are only two messages in authentication process).

Im including Wireshark capture of CHAP and PAP authentication process, so you can look at it.
PPP Authentication – PAP and CHAP.pcapng (536 Bytes)

  • First 4 frames are for LCP and negotiation of authentication protocol PAP vs CHAP+MD5.
  • Frame 5 and 8 are two PAP messages.
  • Frame 6,7 and 9 are three CHAP messages.
1 Like