Exploiting the unique properties of the physical layer to enhance or complement authentication strength in wireless networks has attracted a lot of research attention recently. In this paper, we propose a novel PHYsical layer Challenge-Response Authentication Mechanism (PHY-CRAM) for wireless networks. PHY-CRAM is suitable for both one-way and mutual authentication. It fully utilizes the randomness, reciprocal, and location decorrelation features of the wireless fading channel, and is immune to various passive and active attacks. In the authentication procedure, challenge-response signals are exchanged at the physical layer, which allow two devices to verify their shared secrets while not revealing these secrets to attackers. PHY-CRAM adopts orthogonal frequency-division multiplexing (OFDM) technique which separately modulates the higher layer information and shared keys on subcarriers' phases and amplitudes respectively, in order to prevent channel probing from traffic-related information. We conduct extensive simulation study and develop a prototype using field-programmable gate array (FPGA) and discrete radio frequency (RF) components to evaluate PHY-CRAM in real-world environments. It shows that PHY-CRAM achieves both high successful authentication rate and low false acceptance rate in various channel conditions and under various attacks.