Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN client xauth to microsoft IAS radius server... some question!

Hi

I' ve configured a VPN remote access connection with extended authentication to a Microsoft IAS, radius server.

The Cisco vpn client makes an IPsec connection to a PIX firewall and when the tunnel is up the user is authenticated on the MS radius server.

This is the command that i've used to specify the radius server on the PIX:

aaa-server AuthIn protocol radius

aaa-server AuthIn (inside) host 172.18.124.95 TESTPASS timeout 10

I've read on the Cisco docs that the Cisco client supports only PAP authentication, then on the Radius server I've configured only this type of protocol (instead of CHAP, MS-CHAP etc...).

When the tunnel is up:

the user type his password and the PIX routes this to the autentication server...

using the PAP protocol.

My questions is:

--- PAP is in clear text ! ! !

then: locally, the communication process between PIX and Server is in clear text or the password specifyed before, in the PIX's AAA configuration ( TESTPASS ) is used anyway to cipher the communication?

Thanks in advance!

Bye,

Graz.

1 REPLY
Cisco Employee

Re: VPN client xauth to microsoft IAS radius server... some ques

Password sent is encrypted between the NAS (PIX) and Radius server

TACACS+ encrypts the entire packet between the NAS (PIX) and TACACS+ server.

This is as per Radius and TACACS+ RFC. All standard Radius/Tacacs+ servers should do this.

See Table 1-1 in below URL;

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/o.htm#325

HTH

R/Yusuf

98
Views
0
Helpful
1
Replies
CreatePlease to create content