Cisco vpn client group password revealer

Unanswered Question
Jun 17th, 2010


Cisco vpn client group passwords can be easily decoded with the password revealers tools etc if you have access to the .pcf file (which every client has). As this is a preshared key, is there a better way to harden this ? I thought it was a vulnerability in that the group pwd is decrypted in memory in plain text and so is easily hackable. Unclear if the only work around is IKEV2, or Mutual group auth. Is stronger encryption on the pwd even worth pursuing ?

This is for IPSEC VPN between ASAs and clients running 5.x client.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
martinwicher Sat, 06/19/2010 - 16:19

I'm also working on this topic. With the password revealer you can easily decrypt the group password. The group name is configured in plain text in the profile, too.

So my additional question is following: How it can be prevented that an attacker uses this combination of group name and group password during the user authentication. In my configuration this is recently working. The group combination works in the user authentication process, too. I haven't managed it to prevent this. This is a big security issue.

Any ideas? How do other admins configure this?

I use radius authentication and authorization by ACS. It tried to group-lock feature, but in this scenario it don't help.

Thanks for your help.


This Discussion