Value / Inherit; Use Client Address; Pptp Authentication Protocols - Cisco VPN 3000 User Manual

Value / Inherit?

On this tabbed section:
• The Inherit? check box refers to base-group parameters: Does this specific group inherit the given
setting from the base group? To inherit the setting, check the box (default). To override the base-group
setting, clear the check box. If you clear the check box, you must also enter or change any
corresponding Value field; do not leave the field blank.
• The Value column thus shows either base-group parameter settings that also apply to this group
( Inherit? checked), or unique parameter settings configured for this group ( Inherit? cleared).
Note:
The setting of the Inherit? check box takes priority over an entry in a Value field. Examine this box before
continuing and be sure its setting reflects your intent.

Use Client Address

Check the box to accept and use an IP address that this group's client supplies. A client must have an IP
address to function as a tunnel endpoint; but for maximum security, we recommend that you control IP
address assignment and not allow client-specified IP addresses.
Make sure the setting here is consistent with the setting for Use Client Address on the Configuration | System
| Address Management | Assignment

PPTP Authentication Protocols

Check the boxes for the authentication protocols that this group's PPTP clients can use. To establish and
use a VPN tunnel, users should be authenticated according to some protocol.
Caution:
Unchecking all authentication options means that no authentication is required. That is, PPTP users can
connect with no authentication. This configuration is allowed so you can test connections, but it is not
secure.
These choices specify the allowable authentication protocols in order from least secure to most secure.
You can allow a group to use fewer protocols than the base group, but not more. You cannot allow a
grayed-out protocol.
VPN 3000 Concentrator Series User Guide
PAP = Password Authentication Protocol. This protocol passes cleartext username and password
during authentication and is not secure. We strongly recommend that you not allow this protocol.
CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the
client returns the encrypted [challenge plus password], with a cleartext username. It is more secure
than PAP.
EAP = Extensible Authentication Protocol. This protocol supports -MD5 (MD5-Challenge)
authentication, which is analogous to the CHAP protocol, with the same level of security.
= Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is
MSCHAPv1
similar to, but more secure than, CHAP. In response to the server challenge, the client returns the
encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores—
Configuration | User Management | Groups | Add or Modify (Internal)
screen.
12-29