2.3.b Implement and troubleshoot PPP

2.3.b [i] Authentication [PAP, CHAP]

The Challenge Handshake Authentication Protocol (CHAP) verifies the identity of the peer by means of a three-way handshake. These are the general steps performed during CHAP protocol exchange:

After the Link Control Protocol (LCP) phase is complete, and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer.

The peer responds with a value calculated through a one-way hash function Message Digest 5 (MD5).

The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is successful. Otherwise, the connection is terminated.

By default, authenticator uses its own hostname to identify to peer.

This authentication method depends on a “secret” known only to the authenticator and the peer. The secret is never sent over the link. Although the authentication is only one-way, you can negotiate CHAP in both directions, with the help of the same secret set for mutual authentication.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 2137-2142).  . Kindle Edition.

http://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/25647-understanding-ppp-chap.html