Pptp Encryption - Cisco VPN 3000 User Manual

These choices specify the allowable authentication protocols in order from least secure to most secure.

PPTP Encryption

Check the boxes for the data encryption options that apply to PPTP clients.
VPN 3000 Concentrator Series User Guide
PAP = Password Authentication Protocol. This protocol passes cleartext username and password
during authentication and is not secure. We strongly recommend that you not allow this protocol
(the default).
CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the
client returns the encrypted [challenge plus password], with a cleartext username. It is more secure
than PAP, and is allowed by default.
EAP = Extensible Authentication Protocol. This protocol is allowed by default. It supports -MD5
(MD5-Challenge) authentication, which is analogous to the CHAP protocol, with the same level of
security.
MSCHAPv1 = Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is
similar to, but more secure than, CHAP. In response to the server challenge, the client returns the
encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores—
and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This
protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption).
This protocol is allowed by default. If you check Required under PPTP Encryption below, you must
allow one or both MSCHAP protocols and no other.
= Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is
MSCHAPv2
even more secure than MSCHAPv1. It requires mutual client-server authentication, uses
session-unique keys for data encryption by MPPE, and derives different encryption keys for the
send and receive paths. This protocol is not allowed by default. The VPN Concentrator internal user
authentication server supports this protocol, but external authentication servers do not. If you check
Required under PPTP Encryption below, you must allow one or both MSCHAP protocols and no other.
= During connection setup, PPTP clients must agree to use Microsoft encryption (MPPE)
Required
to encrypt data or they will not be connected. This option is not checked by default. If you check
this option, you must also allow only MSCHAPv1 and/or MSCHAPv2 under PPTP Authentication
above, and you must also check 40-bit and/or 128-bit here. Do not check this option if you
Protocols
use NT Domain user authentication; NT Domain authentication cannot negotiate encryption.
= During connection setup, PPTP clients must agree to use stateless encryption to
Require Stateless
encrypt data or they will not be connected. With stateless encryption, the encryption keys are
changed on every packet; otherwise, the keys are changed after some number of packets or
whenever a packet is lost. Stateless encryption is more secure, but it requires more processing.
However, it might perform better in a lossy environment (where packets are lost), such as the
Internet. This option is not checked by default. Do not check this option if you use NT Domain user
authentication; NT Domain authentication cannot negotiate encryption.
40-bit = PPTP clients are allowed to use the RSA RC4 encryption algorithm with a 40-bit key. This
is significantly less secure than the 128-bit option. Microsoft encryption (MPPE) uses this algorithm.
This option is checked by default. If you check Required , you must check this option and/or the
128-bit option.
= PPTP clients are allowed to use the RSA RC4 encryption algorithm with a 128-bit key.
128-bit
Microsoft encryption (MPPE) uses this algorithm. This option is checked by default. If you check
Required , you must check this option and/or the 40-bit option. The U.S. government restricts the
distribution of 128-bit encryption software.
Configuration | User Management | Base Group
12-13