I have deployed some configurations for VPN connectivity using L2TP and sometimes PPTP, however since both protocols are not designed with security in mind we usually place them over IPSEC to ensure data confidentiality. I searched online for examples but must implementations I found define a PSK for IPSEC and them (for example) integrate the authorization process with Active Directory using the person's username/password.
Using an username/password is something very easy intuitive for a common user, however confidentiality is only ensured by the PSK, isn't this a bad choice when we have to design a scenario where there are hundreds of different users connection to the VPN in a Roadwarrior style? Basically everyone's has to know the PSK compromising the confidentiality between them.
Are there any solutions for this kind of scenarios?
Using x.509 might be a solution I think, however I would much rather use an username/password than having to deploy certificates to every single user, and teach them how to use them.
This isn't a very CISCO related question, however the scenario I'm going to implement will be with Cisco routers acting has VPN concentrators.