Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cisco VPN client and MS RADIUS

We have users currently using a Windows RAS server with IAS authentication with PPTP.

I want to move them to a 3005 concentrator (we have two not being used) and use the Cisco VPN client with IPSEC, also using the Windows RADIUS(IAS) for authentication to Active Directory.

I have a working config for the client and it is authenticating, but I am concerned that you cannot set up IAS to work with IPSEC unless you configure the policy for

"Unencrypted Authentication (PAP, SPAP)"

on the Authentication tab

and

"No Encryption"

on the Encryption tab.

Are the credentials encrypted using IPSEC when establishing the tunnel from Cisco VPN client?

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Cisco VPN client and MS RADIUS

For RADIUS PAP authentication, the username is cleartext and the password is encrypted with the RADIUS shared secret.

To maximize security, you would use TACACS+ or transport mode IPSec and isolated VLANs. But for most of us, strong passwords and physical security will prevent RADIUS PAP from being a significant weakness.

6 REPLIES
Silver

Re: Cisco VPN client and MS RADIUS

In the Active Directory Users and Computers console, expand your domain. Right-click Users. Scroll to select New User. Create a new user called tac. Type a password in the Password and Confirm Password dialog boxes. Clear the User Must Change Password at Next Logon field and click Next. Open the User tac Properties box. Switch to the Dial-In tab. Under Remote Access Permission (Dial-in or VPN), click Allow Access, then click OK.

Community Member

Re: Cisco VPN client and MS RADIUS

Thanks for the reply, but what does this do as far as how the concentrator is authenticating to the IAS server.

Right now, everyone is already connecting via a Microsoft VPN connection and has this set in Active Directory.

My concern was:

When users connect to the concentrator and the concentrator sends the authentication request to the IAS server, the authentication is successful, but on the local LAN inside where the IAS server is, the traffic is PAP and unencrypted.

Community Member

Re: Cisco VPN client and MS RADIUS

For RADIUS PAP authentication, the username is cleartext and the password is encrypted with the RADIUS shared secret.

To maximize security, you would use TACACS+ or transport mode IPSec and isolated VLANs. But for most of us, strong passwords and physical security will prevent RADIUS PAP from being a significant weakness.

Community Member

Re: Cisco VPN client and MS RADIUS

For RADIUS PAP authentication, the username is cleartext and the password is encrypted with the RADIUS shared secret.

To maximize security, you would use TACACS+ or transport mode IPSec and isolated VLANs. But for most of us, strong passwords and physical security will prevent RADIUS PAP from being a significant weakness.

Community Member

Re: Cisco VPN client and MS RADIUS

thank you for the reply

Community Member

Re: Cisco VPN client and MS RADIUS

I have ours setup to work with MS Chap-2 on the Authentication tab and Strongest Encryption on the Encryption tab and it all works.

571
Views
4
Helpful
6
Replies
CreatePlease to create content