MS PPTP

TC Wolsey twolsey at realtech.com
Wed Dec 1 17:54:07 EST 1999


> Steve Cundall <SCundall at ariba.com> 11/30/99 11:47AM >>>
>One hitch when using NT domain database and Radius with the current version
>of Cisco secure, is that is doesn't support CHAP, just PAP and MS-CHAP. CHAP
>works fine if the users are in the CS database, just not if they are in NT.
>I am not sure if they are going to fix this or not, as I have my Cisco
>people looking into this issue.
>
>-Steve

I do not think that Cisco (or any other vendor) will fix it as it is not really their problem. CHAP requires access to the cleartext password to generate the challenge to the client; NT, NDS, /etc/shadow, etc all store a one-way hash of the password, not the password itself. If cleartext transmissions of long-term authentication secrets makes you uneasy (and it should) than use a one time password or two-factor authentication scheme, eg. S/Key, SecurID, CryptoCard, etc. If you do use a local file with cleartext (or equivalent) passwords in it, you should take extreme measures to keep it restricted to only the accounts that need to use it, especially as many users given a choice will use duplicate passwords for various authentication methods. 

Regards, 

--tcw
>
>-----Original Message-----
>From: David Klann [mailto:dklann at berbee.com] 
>Sent: Monday, November 29, 1999 7:44 PM
>To: vpn at listserv.secnetgroup.com; Misha
>Subject: Re: MS PPTP
>
>
>Yes,
>
>Cisco's "Cisco Secure ACS (Access Control System)" supports both RADIUS and 
>TACACS protocols and can use the NT domain user database for authentication.
>
>-David
>


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list