Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3625
Views
0
Helpful
1
Replies

Cisco vpn client group password revealer

arathyram
Level 1
Level 1

‎06-17-2010 04:55 PM


Hi

Cisco vpn client group passwords can be easily decoded with the password revealers tools etc if you have access to the .pcf file (which every client has). As this is a preshared key, is there a better way to harden this ? I thought it was a vulnerability in that the group pwd is decrypted in memory in plain text and so is easily hackable. Unclear if the only work around is IKEV2, or Mutual group auth. Is stronger encryption on the pwd even worth pursuing ?

This is for IPSEC VPN between ASAs and clients running 5.x client.

thx

Labels:
0 Helpful
1 Reply 1

martinwicher
Level 1
Level 1

‎06-19-2010 04:19 PM

I'm also working on this topic. With the password revealer you can easily decrypt the group password. The group name is configured in plain text in the profile, too.

So my additional question is following: How it can be prevented that an attacker uses this combination of group name and group password during the user authentication. In my configuration this is recently working. The group combination works in the user authentication process, too. I haven't managed it to prevent this. This is a big security issue.

Any ideas? How do other admins configure this?


I use radius authentication and authorization by ACS. It tried to group-lock feature, but in this scenario it don't help.

Thanks for your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents