Protecting RRAS VPNs - PAP vs CHAP

We’re looking at the documentation and for protecting RRAS VPNs with Duo and have a query around CHAP and PAP authentication.

We’re not 100% clear on the advantages of using CHAP in a Duo environment. According to the documentation the credentials between the VPN client and RRAS server are always PAP, which is ok because they’re passed through a previously encrypted tunnel (eg. L2TP).

However, what isn’t made clear is how these credentials are then passed from RRAS to the Duo Proxy. If it’s PAP, does the request from RRAS to the Duo Proxy send the credentials in cleartext? This KB article states:

The user credentials are then passed through this encrypted channel to the VPN, and on to the Duo Authentication Proxy using PAP, with the specified shared key used to encrypt the password, on your internal network.

This does not make much sense, it seems to be suggesting that the VPN shared key is passed to Duo, along with the encrypted payload containing the password?

Is this correct? What impact does using CHAP have on this behavior?

Ok so we did a packet capture on the Duo proxy/RRAS server and the password appears to be encrypted with the RADIUS key as it’s being passed from RRAS to Duo. - this now make sense.

I guess the final piece is understanding what CHAP brings to the table over PAP in the context of a Duo deployment.

Is there anyone I can reach out to to get a better understanding of how CHAP improves security in the Duo deployment context?

Hey @_md

Great question! Thank you for sharing this with the community.

I’ll be honest, I do not have expertise in this area to be able to help you. I’ll ask around though and try to find someone who can!

In the meantime, hopefully someone informed can chime in here :slight_smile:

Typically customers want to use CHAP with the Authentication proxy when they want to support password change at login. The Duo proxy only supports that when the authentication is RADIUS end-to-end, and with MSCHAPv2, not PAP.

Thanks @DuoKristina, that’s exactly what I was looking for.