Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
41424344454647484950
VPN Concentrator Configuration 167
enabling this capability. The default mode for this attribute is disabled, forcing the VPN
concentrator to supply the address through one of the various means available to the
concentrator.
PPTP Authentication Protocols—During tunnel negotiation, prospective peers
generally authenticate one another through some mechanism. By checking none of the
available options, you can permit the tunnel to be negotiated with no authentication, but
you should only use that for test purposes. The available authentication protocols are as
follows:
PAP—The Password Authentication Protocol (PAP) passes the username and
password in clear text and is therefore not secure. Although this is the default
setting, it is not a recommended choice for a secure environment. PAP does not
provide data encryption.
CHAP—The Challenge-Handshake Authentication Protocol (CHAP) is also
permitted by default, but is also not particularly secure. In response to a
challenge from the server, the client encrypts the challenge plus password and
returns that to the server along with the clear text username. CHAP does not
provide data encryption.
MSCHAPv1—The Microsoft Challenge-Handshake Authentication Protocol
version 1 (MSCHAPv1) is more secure than CHAP because the server only
stores and compares encrypted passwords. MSCHAPv1 can encrypt data using
the Microsoft Point-to-Point Encryption (MPPE) Protocol.
MSCHAPv2—The Microsoft Challenge-Handshake Authentication Protocol
version 2 (MSCHAPv2) is a step up from MSCHAPv1 because it requires
mutual client-server authentication. MPPE can also be used here for data
encryption using keys that are unique for each session. MSCHAPv2 also uses
different keys for the send and receive functions.
EAP Proxy—The Extensible Authentication Protocol (EAP) Proxy lets the
VPN concentrator offload the authentication process to an external RADIUS
server, providing additional authentication services such as EAP/MD5,
Smartcards and certificates (EAP/TLS), and RSA SecurID (EAP/SDI). EAP
Proxy does not support encryption.
PPTP Encryption—Select the type of PPTP encryption that you want to use from
these options:
Required—If you select this option, clients must use MPPE encryption. This
means that you can only select MSCHAPv1 and MSCHAPv2 as the allowable
authentication protocols when using this option. You must also select either
40-bit and/or 128-bit encryption in this category.
Require Stateless—Under this encryption scheme, the encryption key is
changed with each packet transferred.
chpt_04.fm Page 167 Friday, April 4, 2003 9:19 AM