Filter
Top Products
12 User Management
12-42
VPN 3000 Concentrator Series User Guide
Note: The setting of the
Inherit? check box takes priority over an entry in a Value field. Examine this box before
continuing and be sure its setting reflects your intent.
Use Client Address
Check the box to accept and use an IP address that this user (client) supplies. A client must have an IP
address to function as a tunnel endpoint; but for maximum security, we recommend that you control IP
address assignment and not allow client-specified IP addresses.
Make sure the setting here is consistent with the setting for
Use Client Address on the Configuration | System
| Address Management | Assignment
screen.
PPTP Authentication Protocols
Check the boxes for the authentication protocols that this PPTP user (client) can use. To establish and
use a VPN tunnel, users should be authenticated according to some protocol.
Caution: Unchecking all authentication options means that no authentication is required. That is, PPTP users can
connect with no authentication. This configuration is allowed so you can test connections, but it is not
secure.
These choices specify the allowable authentication protocols in order from least secure to most secure.
You can allow a user to use fewer protocols than the assigned group, but not more. You cannot allow a
grayed-out protocol.
PAP = Password Authentication Protocol. This protocol passes cleartext username and password
during authentication and is not secure. We strongly recommend that you not allow this protocol.
CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the
client returns the encrypted [challenge plus password], with a cleartext username. It is more secure
than PAP.
EAP = Extensible Authentication Protocol. This protocol supports -MD5 (MD5-Challenge)
authentication, which is analogous to the CHAP protocol, with the same level of security.
MSCHAPv1 = Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is
similar to, but more secure than, CHAP. In response to the server challenge, the client returns the
encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores—
and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This
protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption).
MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is
even more secure than MSCHAPv1. It requires mutual client-server authentication, uses
session-unique keys for data encryption by MPPE, and derives different encryption keys for the
send and receive paths.