I have noticed something in the Tacacs and radius logs that I have a query about. It's not an issue, I'm just looking for some information. I notice that despite having our network devices being configured to use Tacacs+ or radius the 'authentication method' that is specified in the Tacacs and radius logs in ACS 5 is PAP ASCII.
The reason this got my attention is because we use Tacacs+ or radius whch have their own varying levels of encryption this is why we use them but PAP, which is shown as the authentication method is unencrypted which is what we don't want. In order to see what was going on I ran a Wireshark trace and I can definitely see that the tacacs & radius authentications are being successfully encrypted.
So why am I seeing PAP ASCII as the authentication method in the ACS logs?
Is it a case where tacacs+ is just an encrypted payload in the PAP packet or something to that affect?
For PAP the password is not encrypted between the user and the NAS device. However, the traffic from NAS to the AAA server is encrypted using the shared secret that is previously configured between the NAS and the AAA server.
Enabling PAP as an authentication protocol means that user passwords are sent from a client to a NAS in plaintext form. The NAS encrypts the password using the shared secret and sends it in an Access-Request packet. Because a RADIUS proxy must encrypt the PAP password using the shared secret of its forwarding RADIUS server, a RADIUS proxy must decrypt the PAP password using the shared secret between the RADIUS proxy and the NAS. A malicious user at a RADIUS proxy can record user names and passwords for PAP connections. For this reason, the use of PAP is highly discouraged, especially for virtual private network connections.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...