This thread seems to have morphed from the original question, but I'll
note that we have a cisco vpn 3000 w/ Xauth (central username and
password) using MGA (server cert authn) to prevent MITM. Use of the vpn
is available from the wireless net but not required.
We've seen a substantial increase in use of the VPN over the last year
(though mostly from off-campus). I believe that it's mostly useful for
avoiding hotel-net brokenness and open-untrusted-highly-suspect wifi
areas (at least, that's when I use it.) We still encourage e2e
authn/authz/privacy, but it's another layer and does help with protocols
for which we have no control.
I believe that 802.1x/wpa is a better implementation of what a
traditional vpn over wireless provides.
We do use a common username & password for these services, and I believe
that this is the right direction. We have a kerberos infrastructure and
it would be great for vpn/802.1x/etc to do kerberos "correctly" and key SSO.
So with respect to PPTP, inasmuch as it often requires a separate
username and password (either because you don't have the plaintext or
don't trust it to keep the password safe), I avoid it.
Tom, I didn't realize IKE v2 was EAP-based. Thanks for the pointer.
-Kevin
Tom Zeller wrote:
A) PPTP using MS-CHAP v2 has one one major vulnerability. It is
susceptible to a man-in-the-middle attack and the challenge-response is
encrypted with the user's password. If the user's password is in the
attacker's dictionary they can determine what it is quickly. However a
truly strong password is not very susceptible to this attack. Read the
details in Bruce Schneier's analaysis at:
http://www.schneier.com/pptp.html
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
