08-12-2009 08:33 AM
Hi friends,
I recently started at a new company, where the Cisco VPN Client is used by all remote Windows users. I am not familiar with the client. I see by our Remote Access Policy that the clients authenticate using PAP. This immediately drew my concern.
My question is does this present a security threat? Even though the auth is unencrypted, it is still happening within a 3DES IPSec tunnel, right? What is the best practice with regards to using the VPN client and authentication?
Thanks in advance!
Equipment:
Cisco VPN Client v5 (latest build) on Windows XP SP3
Microsoft IAS (RADIUS) on W2K3 Server R2 x64
Cisco 3825 Router
IOS 12.4.24T Adv IP Services
Solved! Go to Solution.
08-12-2009 11:35 AM
if my understanding is correct your VPN client is terminating on 3825 router. the client gets the username/password prompt after getting phase1 up therefore it cannot be clear text.
i hope this helps
regards
-Syed
08-12-2009 11:35 AM
if my understanding is correct your VPN client is terminating on 3825 router. the client gets the username/password prompt after getting phase1 up therefore it cannot be clear text.
i hope this helps
regards
-Syed
08-12-2009 12:45 PM
Yes correct, all clients terminate on the outside interface of our 3825 router. We use group authentication w/ pre-shared key.
From what you are saying, I understand that Phase1 negotiation comes up first, thus wrapping all further communications in 3DES IPSec encryption. This then includes the user/pass transmission.
So therefore, using PAP is no big deal in this configuration? (I am assuming not, otherwise it would not be designed to work this way.) But I just want to be sure.
Thanks in advance for all input.
08-13-2009 05:32 AM
Your understanding is correct.
thanks
-Syed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide