Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2263
Views
0
Helpful
5
Replies

Protecting RRAS VPNs - PAP vs CHAP

Go to solution
_md
Level 1
Level 1

‎02-09-2020 07:07 PM

We’re looking at the documentation and for protecting RRAS VPNs with Duo and have a query around CHAP and PAP authentication.

We’re not 100% clear on the advantages of using CHAP in a Duo environment. According to the documentation the credentials between the VPN client and RRAS server are always PAP, which is ok because they’re passed through a previously encrypted tunnel (eg. L2TP).

However, what isn’t made clear is how these credentials are then passed from RRAS to the Duo Proxy. If it’s PAP, does the request from RRAS to the Duo Proxy send the credentials in cleartext? This KB article states:

The user credentials are then passed through this encrypted channel to the VPN, and on to the Duo Authentication Proxy using PAP, with the specified shared key used to encrypt the password, on your internal network.

This does not make much sense, it seems to be suggesting that the VPN shared key is passed to Duo, along with the encrypted payload containing the password?

Is this correct? What impact does using CHAP have on this behavior?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to _md

‎02-20-2020 08:46 AM

Typically customers want to use CHAP with the Authentication proxy when they want to support password change at login. The Duo proxy only supports that when the authentication is RADIUS end-to-end, and with MSCHAPv2, not PAP.

Duo, not DUO.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
_md
Level 1
Level 1

‎02-11-2020 05:18 PM

Ok so we did a packet capture on the Duo proxy/RRAS server and the password appears to be encrypted with the RADIUS key as it’s being passed from RRAS to Duo. - this now make sense.

I guess the final piece is understanding what CHAP brings to the table over PAP in the context of a Duo deployment.

0 Helpful

Go to solution
_md
Level 1
Level 1

‎02-19-2020 09:09 PM

Is there anyone I can reach out to to get a better understanding of how CHAP improves security in the Duo deployment context?

0 Helpful

Go to solution
Amy2
Level 5
Level 5
In response to _md

‎02-20-2020 07:29 AM

Hey @_md

Great question! Thank you for sharing this with the community.

I’ll be honest, I do not have expertise in this area to be able to help you. I’ll ask around though and try to find someone who can!

In the meantime, hopefully someone informed can chime in here

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to _md

‎02-20-2020 08:46 AM

Typically customers want to use CHAP with the Authentication proxy when they want to support password change at login. The Duo proxy only supports that when the authentication is RADIUS end-to-end, and with MSCHAPv2, not PAP.

Duo, not DUO.
0 Helpful

Go to solution
_md
Level 1
Level 1
In response to DuoKristina

‎02-20-2020 06:48 PM

Thanks @DuoKristina, that’s exactly what I was looking for.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents