Cisco Support Community
Community Member

Is using PAP with L2TP secure?

We are setting up a new VPN using a ASA5500 that sends authentication requests to an ACS that int turn forwards the authentication a RSA securid server. When using the MS L2TP client the only wat to get it to work is by using PAP. How secure is this? Is the authentication encapsulated in IPSEC? Since we are using sureid tokens if the username and password is sent in cleartext is there a real problem if someone does intercept it?


Re: Is using PAP with L2TP secure?

PAP - Passes cleartext username and password during authentication and is NOT Secure.

Refer this link:

Community Member

Re: Is using PAP with L2TP secure?

using PAP with L2TP/IPSEC does *NOT* send your password in clear text over the network (or internet) because the PAP is encapsulated within the IPSEC tunnel - you can prove this by running a Network packet trace with Wireshark etc & see the password isn't in "clear text" (I am going to assume you are using  3DES or AES)


There "more secure" methods.. first came PAP.. then CHAP (which required passwords be in "reservably encrypted format" this is why Microsoft released the "more secure" MSChapV2  - Today I would look at PEAP (Protected Extensible Authentication Protocol) PEAP-EAP-TLS Smartcards,  also look into IKEv2 "always on VPN" (Cisco created PEAPv1/EAP-GTC or EAP-Fast)  

CreatePlease to create content