Specifications
22 Chapter 1. Router Concepts
PAP/CHAP Security Authentication
The router supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication
Protocol) under PPP.
Security authentication may not be required due to the nature of the connection in a DSL environment (traffic
occurs on a dedicated line/virtual circuit. However, authentication may be specifically required by the remote end,
the ISP, or the NSP. When authentication is not required, security can be disabled with the command remote
disauthen (page 266).
PAP provides verification of passwords between routers using a two-way handshake. One router (peer) sends the
system name and password to the other router. Then the other router (known as the authenticator) checks the
peerÕs password against the configured remote routerÕs password and returns acknowledgment.
CHAP is more secure than PAP because unencrypted passwords are not sent across the network. CHAP uses a
three-way handshake. One router (known as the authenticator) challenges the other router (known as the peer) by
generating a random number and sending it along with the system name. The peer then applies a one-way hash
algorithm to the random number and returns this encrypted information along with the system name.
The authenticator then runs the same algorithm and compares the result with the expected value. This authentica-
tion method depends upon a password or secret known only to both ends.
PAP Authentication
Chicago
System Name=Chicago
System Password=abc
Remote Router Database
Remote=New York
Password=xyz
2
.
....Accepted/Rejected.......
1
.
..New York & xyz.......
New York
System Name=New York
System Password=xyz
Remote Router Database
Remote=Chicago
Password=abc
CHAP Authentication
Chicago
System Name=Chicago
System Password=abc
Remote Router Database
Remote=New York
Password=xyz
2
.
....Accepted/Rejected.......
1
New York & encrypted number
New York
System Name=New York
System Password=xyz
Remote Router Database
Remote=Chicago
Password=abc
Challenge
3
Chicago & encrypted secret
Hashes random
number and
secret ÒabcÓ
Performs same hash
with number and
secret ÒabcÓ and
compares results