VPN Client authentication question

Answered Question
Aug 12th, 2009

Hi friends,

I recently started at a new company, where the Cisco VPN Client is used by all remote Windows users. I am not familiar with the client. I see by our Remote Access Policy that the clients authenticate using PAP. This immediately drew my concern.

My question is does this present a security threat? Even though the auth is unencrypted, it is still happening within a 3DES IPSec tunnel, right? What is the best practice with regards to using the VPN client and authentication?

Thanks in advance!

Equipment:

Cisco VPN Client v5 (latest build) on Windows XP SP3

Microsoft IAS (RADIUS) on W2K3 Server R2 x64

Cisco 3825 Router

IOS 12.4.24T Adv IP Services

I have this problem too.
0 votes
Correct Answer by sziaulla about 7 years 4 months ago

if my understanding is correct your VPN client is terminating on 3825 router. the client gets the username/password prompt after getting phase1 up therefore it cannot be clear text.

i hope this helps

regards

-Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
sziaulla Wed, 08/12/2009 - 11:35

if my understanding is correct your VPN client is terminating on 3825 router. the client gets the username/password prompt after getting phase1 up therefore it cannot be clear text.

i hope this helps

regards

-Syed

cooperben Wed, 08/12/2009 - 12:45

Yes correct, all clients terminate on the outside interface of our 3825 router. We use group authentication w/ pre-shared key.

From what you are saying, I understand that Phase1 negotiation comes up first, thus wrapping all further communications in 3DES IPSec encryption. This then includes the user/pass transmission.

So therefore, using PAP is no big deal in this configuration? (I am assuming not, otherwise it would not be designed to work this way.) But I just want to be sure.

Thanks in advance for all input.

Actions

This Discussion