L2Tp Authentication Protocols; Add Or Apply / Cancel - Cisco VPN 3000 User Manual

L2TP Authentication Protocols

Check the boxes for the authentication protocols that this L2TP user (client) can use. To establish and
use a VPN tunnel, users should be authenticated according to some protocol.
Caution:
Unchecking all authentication options means that no authentication is required. That is, L2TP users can
connect with no authentication. This configuration is allowed so you can test connections, but it is not
secure.
These choices specify the allowable authentication protocols in order from least secure to most secure.
You can allow a user to use fewer protocols than the assigned group, but not more. You cannot allow a
grayed-out protocol.

Add or Apply / Cancel

When you finish setting or changing parameters on all tabs, click Add or Apply at the bottom of the screen
to Add this user to the list of configured internal users, or to Apply your changes. Both actions include
your settings in the active configuration. The Manager returns to the Configuration | User Management |
Users
Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the
top of the Manager window.
To discard your settings, click Cancel . The Manager returns to the Configuration | User Management | Users
screen, and the Current Users list is unchanged.
VPN 3000 Concentrator Series User Guide
PAP = Password Authentication Protocol. This protocol passes cleartext username and password
during authentication and is not secure. We strongly recommend that you not allow this protocol.
CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the
client returns the encrypted [challenge plus password], with a cleartext username. It is more secure
than PAP.
= Extensible Authentication Protocol. This protocol supports -MD5 (MD5-Challenge)
EAP
authentication, which is analogous to the CHAP protocol, with the same level of security.
= Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is
MSCHAPv1
similar to, but more secure than, CHAP. In response to the server challenge, the client returns the
encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores—
and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This
protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption).
MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is
even more secure than MSCHAPv1. It requires mutual client-server authentication, uses
session-unique keys for data encryption by MPPE, and derives different encryption keys for the
send and receive paths.
screen. Any new users appear in alphabetical order in the Current Users list.
Configuration | User Management | Users | Add or Modify
End of Chapter
12-43