Cisco VPN 5000 Series Concentrator RADIUS PAP Authentication Vulnerability
cisco-sa-20020807-vpn5k-radius-pap · NA · Published · Updated
When a VPN 5000 series concentrator is configured to use a Remote Authentication Dial In User Service (RADIUS) server to authenticate client connections and the challenge type chosen is Password Authentication Protocol (PAP) or Challenge (a hybrid of PAP), the validation retry request sent to the RADIUS server when validation fails the first time does not have the user password field encrypted and so the password is sent as clear text. A VPN 5000 series concentrator configured to use Challenge-Handshake Authentication Protocol (CHAP) to authenticate is not affected by this vulnerability. This vulnerability is documented as Cisco bug ID CSCdx82483. There are workarounds available to mitigate the affects of this vulnerability. This advisory will be posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020807-vpn5k-radius-pap.