Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
217
Views
0
Helpful
1
Replies

PIX VPN auth - Windows Vista

olhcc
Level 1
Level 1

‎09-25-2007 10:34 AM

Question: Our PIX-525 (v6.3.5) is currently accepting L2TP connections over IPSec. Auth is MSCHAP, crypto is 3DES/SHA.

We are starting to have users with Windows Vista. Because Vista no longer supports MSCHAPv1, and because PIX doesn't support MSCHAPv2, I must consider using a different auth method. I did not consider CHAP, because we've had too many problems with it.

I thought that using PAP would suffice since the connection is over IPSec. Does this make sense or am I opening up a huge hole here? I would NEVER consider using PAP for anything unless IPSec was configured as well. Even though PAP auth is not encrypted, it is within an IPSec tunnel, which is encrypted. What would be the best practice here?

PS - I do realize that MSCHAP doesn't set the world on fire when it comes to security either.

Labels:
0 Helpful
1 Reply 1

olhcc
Level 1
Level 1

‎09-28-2007 11:01 AM

OK, so I ended up asking the TAC and here is their reply:

"You are absolutely right that the PAP auth would ideally be encrypted by the IPSEC. So it is absolutely ok to use PAP in this scenario."

I set up another vpdn group using pap auth, so my MSCHAP clients (XP) can still connect.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents