Table of Contents
Advertisement
12
User Management
and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This
protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption).
If you check Required under PPTP Encryption below, you must allow one or both MSCHAP protocols
and no other.
MSCHAPv2
even more secure than MSCHAPv1. It requires mutual client-server authentication, uses
session-unique keys for data encryption by MPPE, and derives different encryption keys for the
send and receive paths. The VPN Concentrator internal user authentication server supports this
protocol, but external authentication servers do not. If you check Required under PPTP Encryption
below, you must allow one or both MSCHAP protocols and no other.
PPTP Encryption
Check the boxes for the data encryption options that apply to this group's PPTP clients.
Required
encryption (MPPE) to encrypt data or they will not be connected. If you check this option, you must
also allow only MSCHAPv1 and/or MSCHAPv2 under PPTP Authentication Protocols above, and you
must also check 40-bit and/or 128-bit here.
Require Stateless
encryption to encrypt data or they will not be connected. With stateless encryption, the encryption
keys are changed on every packet; otherwise, the keys are changed after some number of packets or
whenever a packet is lost. Stateless encryption is more secure, but it requires more processing.
However, it might perform better in a lossy environment (where packets are lost), such as the
Internet.
40-bit
40-bit key. This is significantly less secure than the 128-bit option. Microsoft encryption (MPPE)
uses this algorithm. If you check Required , you must check this option and/or the 128-bit option.
128-bit
128-bit key. Microsoft encryption (MPPE) uses this algorithm. If you check Required , you must
check this option and/or the 40-bit option. The U.S. government restricts the distribution of 128-bit
encryption software.
L2TP Authentication Protocols
Check the boxes for the authentication protocols that this group's L2TP clients can use. To establish and
use a VPN tunnel, users should be authenticated according to some protocol.
Caution:
Unchecking all authentication options means that no authentication is required. That is, L2TP users can
connect with no authentication. This configuration is allowed so you can test connections, but it is not
secure.
These choices specify the allowable authentication protocols in order from least secure to most secure.
You can allow a group to use fewer protocols than the base group, but not more. You cannot allow a
grayed-out protocol.
PAP
during authentication and is not secure. We strongly recommend that you not allow this protocol.
12-30
= Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is
= During connection setup, this group's PPTP clients must agree to use Microsoft
= During connection setup, this group's PPTP clients must agree to use stateless
= This group's PPTP clients are allowed to use the RSA RC4 encryption algorithm with a
= This group's PPTP clients are allowed to use the RSA RC4 encryption algorithm with a
= Password Authentication Protocol. This protocol passes cleartext username and password
VPN 3000 Concentrator Series User Guide
Hide quick links:
Advertisement
Table of Contents
