Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client authentication question

Hi friends,

I recently started at a new company, where the Cisco VPN Client is used by all remote Windows users. I am not familiar with the client. I see by our Remote Access Policy that the clients authenticate using PAP. This immediately drew my concern.

My question is does this present a security threat? Even though the auth is unencrypted, it is still happening within a 3DES IPSec tunnel, right? What is the best practice with regards to using the VPN client and authentication?

Thanks in advance!

Equipment:

Cisco VPN Client v5 (latest build) on Windows XP SP3

Microsoft IAS (RADIUS) on W2K3 Server R2 x64

Cisco 3825 Router

IOS 12.4.24T Adv IP Services

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN Client authentication question

if my understanding is correct your VPN client is terminating on 3825 router. the client gets the username/password prompt after getting phase1 up therefore it cannot be clear text.

i hope this helps

regards

-Syed

3 REPLIES
Cisco Employee

Re: VPN Client authentication question

if my understanding is correct your VPN client is terminating on 3825 router. the client gets the username/password prompt after getting phase1 up therefore it cannot be clear text.

i hope this helps

regards

-Syed

New Member

Re: VPN Client authentication question

Yes correct, all clients terminate on the outside interface of our 3825 router. We use group authentication w/ pre-shared key.

From what you are saying, I understand that Phase1 negotiation comes up first, thus wrapping all further communications in 3DES IPSec encryption. This then includes the user/pass transmission.

So therefore, using PAP is no big deal in this configuration? (I am assuming not, otherwise it would not be designed to work this way.) But I just want to be sure.

Thanks in advance for all input.

Cisco Employee

Re: VPN Client authentication question

Your understanding is correct.

thanks

-Syed

149
Views
0
Helpful
3
Replies