SN0054659-00 A 3-1
3 Configuring CHAP
This chapter describes CHAP and provides the procedures for configuring CHAP
from the command line interface (CLI).
For procedures, see the following sections:
“Discovery Session—Bi-directional CHAP” on page 3-2
“Discovery Session—Uni-directional CHAP” on page 3-3
“Normal Session—Bi-directional CHAP” on page 3-4
“Normal Session—Uni-directional CHAP” on page 3-5
CHAP Definition
In challenge handshake authentication protocol (CHAP), the authentication agent
sends the client program a random value that is used only once and an ID value.
Both the sender and peer share a predefined secret. The peer concatenates the
random value, the ID, and the secret, and calculates a one-way hash using MD5
(Message-Digest algorithm 5). It sends the hash value to the authenticator, which
in turn builds that same string on its side, calculates the MD5 checksum, and
compares the result with the value received from the peer. If the values match, the
peer is authenticated.
By transmitting only the hash, the secret cannot be reverse-engineered. The ID
value is increased with each CHAP dialogue to protect against replay attacks.
