Lab 9. PPP Authentication Using CHAP (Method #1)

CCNA 200–301

Lab Objective:

The objective of this lab exercise is to configure two routers sharing a back-to-back Serial link encapsulated by PPP to authenticate each other using default CHAP parameters on Cisco IOS. By default, PPP connections are not authenticated or secured.

Lab Purpose:

PPP CHAP authentication configuration is a fundamental skill. One of the main reasons that PPP is so popular is because it has the capability to be secured and devices communicating using PPP can be authenticated. CHAP authentication is the most preferred method to secure PPP as it does not send usernames and passwords in clear text. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to configure PPP CHAP authentication.

Task 1:

Configure hostnames on R1 and R2 as illustrated in the topology.

Task 2:

Enable Serial interfaces on R1 and R2. The Serial0/0 interface on R2 is identified as the DCE in the topology. Use the appropriate command to verify that this interface is indeed the DCE. Configure the DCE interface on R2 to provide clocking to R1. The clock speed should be 768 Kbps. Verify that R1 receives clocking information from R2.

Task 3:

Enable PPP encapsulation on R1 and R2 Serial0/0 interfaces. Configure IP addressing on R1 and R2 Serial0/0 interfaces as illustrated in the topology.

Task 4:

Verify your interface encapsulation, which should now be PPP. Test connectivity between R1 and R2 by pinging between the routers.

Task 5:

Configure the Serial0/0 interfaces of R1 and R2 for PPP authentication via CHAP. Both R1 and R2 should authenticate using their hostnames and the password CHAP.

Task 6:

Enable PPP authentication debugging on R2. Next, perform a shutdown command, followed by a no shutdown command, on Serial0/0. Verify that you see the two routers authenticating each other via PPP CHAP. Disable debugging when you are done.

Task 1:

For reference information on configuring hostnames, please refer to earlier labs.

Task 2:

For reference information on configuring clock rates, please refer to earlier labs.

Task 3:

For reference information on configuring PPP and IP addressing, please refer to earlier labs.

Task 4:

R1#ping 192.168.50.34

Task 5:

R1#conf t
R1(config)#username R2 password CHAP
R1(config)#int s0/0
R1(config-if)#ppp authentication chap
R1(config-if)#end

R2#conf t
R2(config)#username R1 password CHAP
R2(config)#int s0/0
R2(config-if)#ppp authentication chap

NOTE: By default, there is no need to configure a hostname to be used for CHAP authentication on Cisco IOS routers as they will use the hostname configured on the router. There is also no need to define a password to be used for authentication since CHAP does not send the passwords across the link like PAP does. Therefore, a hash will be created using the configured passwords in the username command. These passwords must be identical on both routers, otherwise authentication will fail!

Task 6:

R1#debug ppp authentication
R1#conf t
R1(config-if)#shutdown

R1(config-if)#no shutdown
R1(config-if)#end

R1#undebug all