David wrote:
Brian, I agree with you about PAP. We have multi-site organization, so passwords will be transmitted over WAN. Might have to explore Matthew and TIm's suggestions.
Save you the trouble: The cliff notes on 1-factor/built-in-supplicants are: If it's for infrastructure admin access (switches, etc) only bad options are available. Secure your control plane with a fail-closed IPSEC setup first. Hope you bought gateways with good L2L VPN feature sets. If it's for WiFi or wired EAPOL, use EAP-TLS, EAP-PEAP-MSCHAPv2, or EAP-TTLS-something depending on your needs. If it's for IPSEC-RA/IKEv2, don't hit the AAA servers directly from the initial IKEv2 auth phase on Windows clients... use the above protocols for an inner EAP auth and validate the AAA cert... agilevpn does not adequately protect against downgrade attacks by validating the IKE cert unless you do this. That means you'll want to send Linux and OSX to a different IPSEC-RA/IKEv2 instance than Windows because they can validate IKE certs correctly, and OSX doesn't support any good inner auths.