Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Authentication by MS IAS-radius

We use VPNs between PIXs(6.2) and 3.0 Clients. I am interested in using the IAS-radius for authentication. The documentation says to have the IAS use PAP/cleartext.

How does the challenge response get handled. Is it clear text IP from the IAS to the PIX and then PIX encryption (56/3DES) to the far end? Or is it clear text all the way to the far end? or what

New Member

Re: VPN Authentication by MS IAS-radius

Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecured network could determine a user's password.

The IAS use PAP/clear text is for Microsoft remote access or PPTP VPN.

When you config microsoft Radius server, you need choose PAP/clear text because Radius protocol using its own way to encrypte the password. CHAP or MSCHAP has MD5 one way hash will affect Radius's encryption process.

User authentication is happened after the group authentication which is the IPSEC phase 1 negotiation, so the user name and password between the PIX and remote VPN client is protected by DES or 3DES encryption.

All in one word, there is no security issue need to be worried.

Best Regards,

CreatePlease login to create content