VPN Client authentication question

Answered Question
Aug 12th, 2009
User Badges:

Hi friends,


I recently started at a new company, where the Cisco VPN Client is used by all remote Windows users. I am not familiar with the client. I see by our Remote Access Policy that the clients authenticate using PAP. This immediately drew my concern.


My question is does this present a security threat? Even though the auth is unencrypted, it is still happening within a 3DES IPSec tunnel, right? What is the best practice with regards to using the VPN client and authentication?

Thanks in advance!



Equipment:

Cisco VPN Client v5 (latest build) on Windows XP SP3

Microsoft IAS (RADIUS) on W2K3 Server R2 x64

Cisco 3825 Router

IOS 12.4.24T Adv IP Services

Correct Answer by sziaulla about 7 years 8 months ago

if my understanding is correct your VPN client is terminating on 3825 router. the client gets the username/password prompt after getting phase1 up therefore it cannot be clear text.

i hope this helps

regards

-Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
sziaulla Wed, 08/12/2009 - 11:35
User Badges:
  • Cisco Employee,

if my understanding is correct your VPN client is terminating on 3825 router. the client gets the username/password prompt after getting phase1 up therefore it cannot be clear text.

i hope this helps

regards

-Syed

cooperben Wed, 08/12/2009 - 12:45
User Badges:

Yes correct, all clients terminate on the outside interface of our 3825 router. We use group authentication w/ pre-shared key.


From what you are saying, I understand that Phase1 negotiation comes up first, thus wrapping all further communications in 3DES IPSec encryption. This then includes the user/pass transmission.


So therefore, using PAP is no big deal in this configuration? (I am assuming not, otherwise it would not be designed to work this way.) But I just want to be sure.


Thanks in advance for all input.

sziaulla Thu, 08/13/2009 - 05:32
User Badges:
  • Cisco Employee,

Your understanding is correct.

thanks

-Syed

Actions

This Discussion