Configuring CHAP Authentication

This section describes how to configure Challenge Handshake Authentication Protocol (CHAP) authentication. CHAP is a three-way handshake authentication protocol.

Prerequisites

A FW functioning as an authenticator supports local and remote authentication. If local authentication is used, you must configure a user account and an authentication mode. If remote authentication is used, you must also configure an authentication server.

If the FW is a supplicant, you must configure a user name and an authentication mode. And an authentication server also needs to be configured if remote authentication is used.

Context

Devices enabled with CHAP authentication only transmit user names over a network. CHAP supports higher security than the Password Authentication Protocol (PAP) because passwords are not transmitted.

By default, Point-to-Point Protocol (PPP) packets are not authenticated using CHAP.

Procedure

Configure an authenticator to use CHAP to authenticate the peer end when the user name is specified.

When an authenticator sets a user name, the authenticator must set the same password the same as that for the authenticated end.
- Configure a FW that authenticates a peer end.
  1. Display the system view.
```
system-view
```
  2. Display the interface view.
```
interface interface-type interface-number
```
  3. Configure a local end to use CHAP to authenticate the peer end.
```
ppp authentication-mode chap [ pap ]
```
    The ppp authentication-mode chap pap command enables CHAP negotiation to take precedence over PAP negotiation during Link Control Protocol (LCP) negotiation. If the authenticator does not support CHAP or PAP, LCP negotiation between the two devices fails.
  4. Specify a local user name.
```
ppp chap user user-name
```
- Configure a FW that is authenticated by the local FW.
  1. Display the system view.
```
system-view
```
  2. Display the interface view.
```
interface interface-type interface-number
```
  3. Specify a local user name.
```
ppp chap user user-name
```
Configure the authenticator to authenticate the peer end in CHAP mode if the user name is not specified.
During authentication, the authenticator searches locally configured AAA user names. If the user name and password configured on the peer interface match those on the local end, authentication succeeds.
- Configure a FW that authenticates a peer end.
  1. Display the system view.
```
system-view
```
  2. Display the interface view.
```
interface interface-type interface-number
```
  3. Configure a local end to use CHAP to authenticate the peer end.
```
ppp authentication-mode chap [ pap ]
```
    The ppp authentication-mode chap pap command enables CHAP negotiation to take precedence over PAP negotiation during LCP negotiation. If the authenticator does not support CHAP or PAP, LCP negotiation between the two devices fails.
- Configure a FW that is authenticated by the local FW.
  1. Display the system view.
```
system-view
```
  2. Display the interface view.
```
interface interface-type interface-number
```
  3. Specify a local user name.
```
ppp chap user user-name
```
  4. Set a password for the peer end to use CHAP to authenticate the local end.
```
ppp chap password cipher password
```