Hi,
For PAP the password is not encrypted between the user and the NAS device. However, the traffic from NAS to the AAA server is encrypted using the shared secret that is previously configured between the NAS and the AAA server.
Enabling PAP as an authentication protocol means that user passwords are sent from a client to a NAS in plaintext form. The NAS encrypts the password using the shared secret and sends it in an Access-Request packet. Because a RADIUS proxy must encrypt the PAP password using the shared secret of its forwarding RADIUS server, a RADIUS proxy must decrypt the PAP password using the shared secret between the RADIUS proxy and the NAS. A malicious user at a RADIUS proxy can record user names and passwords for PAP connections. For this reason, the use of PAP is highly discouraged, especially for virtual private network connections.
Source: http://technet.microsoft.com/en-us/library/cc958013.aspx
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"