Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

PPP CHAP & TACACS+ packet flow details

I know the packet flow when using CHAP without TACACS, and I know the TACACS packet flow, but I can't find anything documenting the actual authentication process when the two are combined. Here's a sample question I'm trying to sort out:

Router A dials Router B. Assuming default ppp authentication chap statement on both ends, either could attempt to initiate CHAP. Assume Router A sends the CHAP packet to Router B. Router A has to know the name of the remote router, so you still have to have the username definition in Router A for Router B, correct? (i.e., Router A can't go to the TACACS server and ask for the hash to send to Router B, can it?). As I understand it, Router B gets the hash, and sends it to the TACACS server for verification. The TACACS server sends back a yes or a no. How is this a three way authentication then? And can Router B get away with not having any usernames defined?

Does anyone know of a good technical description of the authentication process when combining CHAP and TACACS+?

Thanks in advance.

  • AAA Identity and NAC
New Member

Re: PPP CHAP & TACACS+ packet flow details

If you have any update on this, can you post it on forum? would be useful for all.