Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2297
Views
0
Helpful
5
Replies

enc_GroupPwd on different platforms (client 4.6)

d_p_grant
Level 1
Level 1

‎01-31-2006 12:40 PM - edited ‎02-21-2020 12:41 AM

I'm in the process of testing a remote access VPN setup, hopefully soon to deploy. I've noticed that the encrypted group password in the .pcf files are different (for the same password) for Linux and Windows. I don't have a Mac or Solaris test box, but will be supporting those clients as well. I'd like to have pre-built .pcf files for each distribution, rather than giving the actual preshared key to all of my users. Does anybody know if the Solaris and Mac versions use the same encryption as the Linux (or even Windows), or whether they are different?

0 Helpful
5 Replies 5

ciscocsoc
Level 4
Level 4

‎02-02-2006 06:31 AM

Hi,

AFAIK each platform uses the same algorithm. Part of the encryption of the group password uses a hash based on the time of profile creation - so unless you generate all your profiles in the same second, they will appear to be different keys - but they will decrypt to the same thing.

HTH

Kind Regards

Cathy

0 Helpful

d_p_grant
Level 1
Level 1
In response to ciscocsoc

‎02-02-2006 08:46 AM

So it seems like I can't create one profile (with the group password already encrypted) on one machine and then import it to others, but need to create a profile with a clear-text group password, that gets encrypted upon first use by each client?

0 Helpful

ciscocsoc
Level 4
Level 4
In response to d_p_grant

‎02-03-2006 12:08 AM

Hi,

Not so.

The hashes created (based on the date) are used as the crypto key for the group password. The key is stored at the front of the value you have in the file. So creating one file will be sufficient.

If you think about it, the client has to be able to decrypt the password before transmitting it to the concentrator. To do this, it must be reversible. The process with the hashes is little more than obfuscation - or a way of generating a random crypto key.

HTH

Cathy

0 Helpful

d_p_grant
Level 1
Level 1
In response to ciscocsoc

‎02-03-2006 09:03 AM

Thanks for the clarification and an explanation of some of the guts underneath the hood. However, I can't get the profiles I've created in Windows to work in Linux. Can you look at my basic process and tell me what I did wrong? (note: I'm not in front of my test box so path names and such are from memory, and are not likely correct).

1) Create the policy in Windows.

2) Connect (success).

3) Copy the C:\PATH\policy.pcf to a cdrom

4) place policy.pcf into /etc/CiscoSystemsVPNClient/Profiles/.

5) Apply dos2unix to the .pcf file to take care of EOL issues.

6) Attempt to connect (fail).

7) Erase the enc_GroupPwd in /etc/CiscoSystemsVPNClient/Profiles/policy.pcf

8) type a clear text group password into the group password field

9) Connect (success).

10) See that the clear text password is gone, and enc_GroupPwd is populated.

Thanks,

dg

0 Helpful

ciscocsoc
Level 4
Level 4
In response to d_p_grant

‎02-03-2006 10:02 AM

Hi,

On further investigation I think that there are platform-specific entries in the .pcf files. You will have to generate a unique file for each platform - but you should be able to copy/paste the enc_* values. You should be able to compare a working profile from Linux and Windows and see what the differences are.

Kind Regards

Cathy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card