Do I use both? When does each occur? What is each authenticating?
PAP (password authentication protocol) and CHAP (challenge handshake authentication protocol) are both secure authentication protocols that were developed for dial-up remote access using point-to-point protocol (PPP). These are frequently used in conjunction with a RADIUS authentication server.
When implementing remote access VPN, many network managers have opted to continue using their existing dial-up remote access authentication server for their new VPN remote access. In this case, the VPN gateway behaves very much like a remote access concentrator and looks to the RADIUS server for user authentication. A benefit of doing this is that you can use the same authentication infrastructure for both VPN and dial-up connections minimizing time and expense.
However, the use of PAP and CHAP is not nearly as secure as the use of newer authentication techniques such as smart cards, tokens and digital certificates. By combining PAP or CHAP with strong encryption, you have a mismatch between authentication and privacy. It will be much easier for a hacker to get into your private network (attacking the authentication system) than to decipher packets in transmission (attacking the encryption), so they will focus attacks on your authentication, not your VPN encryption.
If you're using digital certificates, you probably have everything covered and no longer need to worry about PAP/CHAP. The only downside of digital certificates is that they are stored on a device such as a laptop or palm computer. In this case, you authenticate the device, not the end user. This can cause problems if the device is stolen or if users need access from multiple devices.
Many network managers opt to use both digital certificates (to authenticate the device) and PAP or CHAP to authenticate the user. In addition to taking a "belt and suspenders" approach to security, you get the benefit of any additional accounting and authorization services that are being provided by your RADIUS server.
So, the bottom line is this: PAP and CHAP are fine for VPN authentication if you consider them fine for other remote access authentication, but they are mismatched to the encryption capabilities from a security perspective. Digital certificates provide strong authentication that matches the security levels provided by VPN encryption, but they authenticate the device, not the user. A combination of PAP/CHAP with digital certificates can provide double protection and may benefit from additional services such as authorization and accounting.
This was first published in October 2002