We’re looking at the documentation and for protecting RRAS VPNs with Duo and have a query around CHAP and PAP authentication.
We’re not 100% clear on the advantages of using CHAP in a Duo environment. According to the documentation the credentials between the VPN client and RRAS server are always PAP, which is ok because they’re passed through a previously encrypted tunnel (eg. L2TP).
However, what isn’t made clear is how these credentials are then passed from RRAS to the Duo Proxy. If it’s PAP, does the request from RRAS to the Duo Proxy send the credentials in cleartext? This KB article states:
The user credentials are then passed through this encrypted channel to the VPN, and on to the Duo Authentication Proxy using PAP, with the specified shared key used to encrypt the password, on your internal network.
This does not make much sense, it seems to be suggesting that the VPN shared key is passed to Duo, along with the encrypted payload containing the password?
Is this correct? What impact does using CHAP have on this behavior?