I recently started at a new company, where the Cisco VPN Client is used by all remote Windows users. I am not familiar with the client. I see by our Remote Access Policy that the clients authenticate using PAP. This immediately drew my concern.
My question is does this present a security threat? Even though the auth is unencrypted, it is still happening within a 3DES IPSec tunnel, right? What is the best practice with regards to using the VPN client and authentication?
Thanks in advance!
Cisco VPN Client v5 (latest build) on Windows XP SP3
Microsoft IAS (RADIUS) on W2K3 Server R2 x64
Cisco 3825 Router
IOS 12.4.24T Adv IP Services
if my understanding is correct your VPN client is terminating on 3825 router. the client gets the username/password prompt after getting phase1 up therefore it cannot be clear text.
i hope this helps