cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2171
Views
0
Helpful
3
Replies
Participant

Is using PAP with L2TP secure?

We are setting up a new VPN using a ASA5500 that sends authentication requests to an ACS that int turn forwards the authentication a RSA securid server. When using the MS L2TP client the only wat to get it to work is by using PAP. How secure is this? Is the authentication encapsulated in IPSEC? Since we are using sureid tokens if the username and password is sent in cleartext is there a real problem if someone does intercept it?

3 REPLIES 3
Contributor

Re: Is using PAP with L2TP secure?

PAP - Passes cleartext username and password during authentication and is NOT Secure.

Refer this link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008066ebb6.html

Beginner

Re: Is using PAP with L2TP secure?

using PAP with L2TP/IPSEC does *NOT* send your password in clear text over the network (or internet) because the PAP is encapsulated within the IPSEC tunnel - you can prove this by running a Network packet trace with Wireshark etc & see the password isn't in "clear text" (I am going to assume you are using  3DES or AES)

 

There "more secure" methods.. first came PAP.. then CHAP (which required passwords be in "reservably encrypted format" this is why Microsoft released the "more secure" MSChapV2  - Today I would look at PEAP (Protected Extensible Authentication Protocol) PEAP-EAP-TLS Smartcards,  also look into IKEv2 "always on VPN" (Cisco created PEAPv1/EAP-GTC or EAP-Fast)  

Highlighted
Beginner

Re: Is using PAP with L2TP secure?

I know this thread is old, but how can I test this? I have my VPN setup with L2TP\IPSec which uses unencrypted PAP. However, when I use Wireshark to do a packet capture I see the Username and Password being passed right in text which I can see just shows Configuration Request and then Configuration ACK and Echo Request and Identification and Authentication-Request which shows the Peer-ID='xxxxxxxxxxx', Password='xxxxxxxxxxxxxxx')

Any help?