We are setting up a new VPN using a ASA5500 that sends authentication requests to an ACS that int turn forwards the authentication a RSA securid server. When using the MS L2TP client the only wat to get it to work is by using PAP. How secure is this? Is the authentication encapsulated in IPSEC? Since we are using sureid tokens if the username and password is sent in cleartext is there a real problem if someone does intercept it?
PAP - Passes cleartext username and password during authentication and is NOT Secure.
Refer this link:
using PAP with L2TP/IPSEC does *NOT* send your password in clear text over the network (or internet) because the PAP is encapsulated within the IPSEC tunnel - you can prove this by running a Network packet trace with Wireshark etc & see the password isn't in "clear text" (I am going to assume you are using 3DES or AES)
There "more secure" methods.. first came PAP.. then CHAP (which required passwords be in "reservably encrypted format" this is why Microsoft released the "more secure" MSChapV2 - Today I would look at PEAP (Protected Extensible Authentication Protocol) PEAP-EAP-TLS Smartcards, also look into IKEv2 "always on VPN" (Cisco created PEAPv1/EAP-GTC or EAP-Fast)
I know this thread is old, but how can I test this? I have my VPN setup with L2TP\IPSec which uses unencrypted PAP. However, when I use Wireshark to do a packet capture I see the Username and Password being passed right in text which I can see just shows Configuration Request and then Configuration ACK and Echo Request and Identification and Authentication-Request which shows the Peer-ID='xxxxxxxxxxx', Password='xxxxxxxxxxxxxxx')