Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco vpn client group password revealer


Hi

Cisco vpn client group passwords can be easily decoded with the password revealers tools etc if you have access to the .pcf file (which every client has). As this is a preshared key, is there a better way to harden this ? I thought it was a vulnerability in that the group pwd is decrypted in memory in plain text and so is easily hackable. Unclear if the only work around is IKEV2, or Mutual group auth. Is stronger encryption on the pwd even worth pursuing ?

This is for IPSEC VPN between ASAs and clients running 5.x client.

thx

1 REPLY
New Member

Re: Cisco vpn client group password revealer

I'm also working on this topic. With the password revealer you can easily decrypt the group password. The group name is configured in plain text in the profile, too.

So my additional question is following: How it can be prevented that an attacker uses this combination of group name and group password during the user authentication. In my configuration this is recently working. The group combination works in the user authentication process, too. I haven't managed it to prevent this. This is a big security issue.

Any ideas? How do other admins configure this?


I use radius authentication and authorization by ACS. It tried to group-lock feature, but in this scenario it don't help.

Thanks for your help.

2575
Views
0
Helpful
1
Replies
CreatePlease to create content