02-09-2020 07:07 PM
We’re looking at the documentation and for protecting RRAS VPNs with Duo and have a query around CHAP and PAP authentication.
We’re not 100% clear on the advantages of using CHAP in a Duo environment. According to the documentation the credentials between the VPN client and RRAS server are always PAP, which is ok because they’re passed through a previously encrypted tunnel (eg. L2TP).
However, what isn’t made clear is how these credentials are then passed from RRAS to the Duo Proxy. If it’s PAP, does the request from RRAS to the Duo Proxy send the credentials in cleartext? This KB article states:
The user credentials are then passed through this encrypted channel to the VPN, and on to the Duo Authentication Proxy using PAP, with the specified shared key used to encrypt the password, on your internal network.
This does not make much sense, it seems to be suggesting that the VPN shared key is passed to Duo, along with the encrypted payload containing the password?
Is this correct? What impact does using CHAP have on this behavior?
Solved! Go to Solution.
02-20-2020 08:46 AM
Typically customers want to use CHAP with the Authentication proxy when they want to support password change at login. The Duo proxy only supports that when the authentication is RADIUS end-to-end, and with MSCHAPv2, not PAP.
02-11-2020 05:18 PM
Ok so we did a packet capture on the Duo proxy/RRAS server and the password appears to be encrypted with the RADIUS key as it’s being passed from RRAS to Duo. - this now make sense.
I guess the final piece is understanding what CHAP brings to the table over PAP in the context of a Duo deployment.
02-19-2020 09:09 PM
Is there anyone I can reach out to to get a better understanding of how CHAP improves security in the Duo deployment context?
02-20-2020 07:29 AM
Hey @_md
Great question! Thank you for sharing this with the community.
I’ll be honest, I do not have expertise in this area to be able to help you. I’ll ask around though and try to find someone who can!
In the meantime, hopefully someone informed can chime in here
02-20-2020 08:46 AM
Typically customers want to use CHAP with the Authentication proxy when they want to support password change at login. The Duo proxy only supports that when the authentication is RADIUS end-to-end, and with MSCHAPv2, not PAP.
02-20-2020 06:48 PM
Thanks @DuoKristina, that’s exactly what I was looking for.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide