Filter
Top Products
B-4
Cisco 860 Series, Cisco 880 Series, and Cisco 890 Series Integrated Services Routers Software Configuration Guide
OL-18906-02
Appendix B Concepts
TACACS+
CHAP
CHAP uses a three-way handshake to verify passwords. To understand how CHAP works, imagine a
network topology in which a remote office Cisco router is connected to a corporate office Cisco router.
After the PPP link is established, the corporate office router sends a challenge message to the remote
office router. The remote office router responds with a variable value. The corporate office router checks
the response against its own calculation of the value. If the values match, the corporate office router
accepts the authentication. The authentication process can be repeated anytime after the link is
established.
CHAP has the following characteristics:
• The authentication process uses a variable challenge value rather than a password.
• CHAP protects against playback attack through the use of the variable challenge value, which is
unique and unpredictable. Repeated challenges limit the time of exposure to any single attack.
• The corporate office router controls the frequency and timing of the authentication attempts.
Note We recommend using CHAP because it is the more secure of the two protocols.
TACACS+
Cisco 819 routers support the Terminal Access Controller Access Control System Plus (TACACS+)
protocol through Telnet. TACACS+ is a Cisco-proprietary authentication protocol that provides remote
access authentication and related network security services, such as event logging. User passwords are
administered in a central database rather than in individual routers. TACACS+ also provides support for
separate modular authentication, authorization, and accounting (AAA) facilities that are configured at
individual routers.
Ethernet
Ethernet is a baseband LAN protocol that transports data and voice packets to the WAN interface using
carrier sense multiple access collision detect (CSMA/CD). The term is now often used to refer to all
CSMA/CD LANs. Ethernet was designed to serve in networks with sporadic, occasionally heavy traffic
requirements. The IEEE 802.3 specification was developed in 1980, based on the original Ethernet
technology.
Under the Ethernet CSMA/CD media-access process, any host on a CSMA/CD LAN can access the
network at any time. Before sending data, CSMA/CD hosts listen for traffic on the network. A host
wanting to send data waits until it detects no traffic before it transmits. Ethernet allows any host on the
network to transmit whenever the network is quiet. A collision occurs when two hosts listen for traffic,
hear none, and then transmit simultaneously. In this situation, both transmissions are damaged, and the
hosts must retransmit at some later time. Algorithms determine when the colliding hosts should
retransmit.