Tacacs+ & PAP ASCII

ciaranjmurphy · ‎07-04-2012

Hi Folks,

I have noticed something in the Tacacs and radius logs that I have a query about. It's not an issue, I'm just looking for some information. I notice that despite having our network devices being configured to use Tacacs+ or radius the 'authentication method' that is specified in the Tacacs and radius logs in ACS 5 is PAP ASCII.

The reason this got my attention is because we use Tacacs+ or radius whch have their own varying levels of encryption this is why we use them but PAP, which is shown as the authentication method is unencrypted which is what we don't want. In order to see what was going on I ran a Wireshark trace and I can definitely see that the tacacs & radius authentications are being successfully encrypted.

So why am I seeing PAP ASCII as the authentication method in the ACS logs?

Is it a case where tacacs+ is just an encrypted payload in the PAP packet or something to that affect?

Regards

Ciaran

Amjad Abdullah · ‎07-04-2012

Hi,

For PAP the password is not encrypted between the user and the NAS device. However, the traffic from NAS to the AAA server is encrypted using the shared secret that is previously configured between the NAS and the AAA server.

Enabling PAP as an authentication protocol means that user passwords are sent from a client to a NAS in plaintext form. The NAS encrypts the password using the shared secret and sends it in an Access-Request packet. Because a RADIUS proxy must encrypt the PAP password using the shared secret of its forwarding RADIUS server, a RADIUS proxy must decrypt the PAP password using the shared secret between the RADIUS proxy and the NAS. A malicious user at a RADIUS proxy can record user names and passwords for PAP connections. For this reason, the use of PAP is highly discouraged, especially for virtual private network connections.

Source: http://technet.microsoft.com/en-us/library/cc958013.aspx

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"