L2Tp Authentication Protocols; L2Tp Encryption - Cisco VPN 3000 User Manual

12
User Management

L2TP Authentication Protocols

Check the boxes for the authentication protocols that L2TP clients can use. To establish and use a VPN
tunnel, users should be authenticated according to some protocol.
Caution: Unchecking all authentication options means that no authentication is required. That is, L2TP users can
connect with no authentication. This configuration is allowed so you can test connections, but it is not
secure.
These choices specify the allowable authentication protocols in order from least secure to most secure.
PAP
during authentication and is not secure. We strongly recommend that you not allow this protocol
(the default).
CHAP
client returns the encrypted [challenge plus password], with a cleartext username. It is more secure
than PAP, and is allowed by default.
EAP
(MD5-Challenge) authentication, which is analogous to the CHAP protocol, with the same level of
security.
MSCHAPv1
similar to, but more secure than, CHAP. In response to the server challenge, the client returns the
encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores—
and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This
protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption).
This protocol is allowed by default. If you check Required under L2TP Encryption below, you must
allow one or both MSCHAP protocols and no other.
MSCHAPv2
even more secure than MSCHAPv1. It requires mutual client-server authentication, uses
session-unique keys for data encryption by MPPE, and derives different encryption keys for the
send and receive paths. This protocol is not allowed by default. The VPN Concentrator internal user
authentication server supports this protocol, but external authentication servers do not. If you check
Required

L2TP Encryption

Check the boxes for the data encryption options that apply to L2TP clients.
Required
to encrypt data or they will not be connected. This option is not checked by default. If you check
this option, you must also allow only MSCHAPv1 and/or MSCHAPv2 under L2TP Authentication
Protocols
use NT Domain user authentication; NT Domain authentication cannot negotiate encryption.
Require Stateless
encrypt data or they will not be connected. With stateless encryption, the encryption keys are
changed on every packet; otherwise, the keys are changed after some number of packets or
whenever a packet is lost. Stateless encryption is more secure, but it requires more processing.
However, it might perform better in a lossy environment (where packets are lost), such as the
Internet. This option is not checked by default. Do not check this option if you use NT Domain user
authentication; NT Domain authentication cannot negotiate encryption.
12-14
= Password Authentication Protocol. This protocol passes cleartext username and password
= Challenge-Handshake Authentication Protocol. In response to the server challenge, the
= Extensible Authentication Protocol. This protocol is allowed by default. It supports -MD5
= Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is
= Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is
under L2TP Encryption below, you must allow one or both MSCHAP protocols and no other.
= During connection setup, L2TP clients must agree to use Microsoft encryption (MPPE)
above, and you must also check 40-bit and/or 128-bit here. Do not check this option if you
= During connection setup, L2TP clients must agree to use stateless encryption to
VPN 3000 Concentrator Series User Guide