Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
0
Helpful
3
Replies

VPN Client authentication question

Go to solution
cooperben
Level 1
Level 1

‎08-12-2009 08:33 AM

Hi friends,

I recently started at a new company, where the Cisco VPN Client is used by all remote Windows users. I am not familiar with the client. I see by our Remote Access Policy that the clients authenticate using PAP. This immediately drew my concern.

My question is does this present a security threat? Even though the auth is unencrypted, it is still happening within a 3DES IPSec tunnel, right? What is the best practice with regards to using the VPN client and authentication?

Thanks in advance!

Equipment:

Cisco VPN Client v5 (latest build) on Windows XP SP3

Microsoft IAS (RADIUS) on W2K3 Server R2 x64

Cisco 3825 Router

IOS 12.4.24T Adv IP Services

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sziaulla
Cisco Employee
Cisco Employee

‎08-12-2009 11:35 AM

if my understanding is correct your VPN client is terminating on 3825 router. the client gets the username/password prompt after getting phase1 up therefore it cannot be clear text.

i hope this helps

regards

-Syed

View solution in original post

0 Helpful
3 Replies 3

Go to solution
sziaulla
Cisco Employee
Cisco Employee

‎08-12-2009 11:35 AM

if my understanding is correct your VPN client is terminating on 3825 router. the client gets the username/password prompt after getting phase1 up therefore it cannot be clear text.

i hope this helps

regards

-Syed

0 Helpful

Go to solution
cooperben
Level 1
Level 1
In response to sziaulla

‎08-12-2009 12:45 PM

Yes correct, all clients terminate on the outside interface of our 3825 router. We use group authentication w/ pre-shared key.

From what you are saying, I understand that Phase1 negotiation comes up first, thus wrapping all further communications in 3DES IPSec encryption. This then includes the user/pass transmission.

So therefore, using PAP is no big deal in this configuration? (I am assuming not, otherwise it would not be designed to work this way.) But I just want to be sure.

Thanks in advance for all input.

0 Helpful

Go to solution
sziaulla
Cisco Employee
Cisco Employee
In response to cooperben

‎08-13-2009 05:32 AM

Your understanding is correct.

thanks

-Syed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents