Michael Thumann wrote:
To get the XAUTH based authentication information (that is the part where the RADIUS Server is involved) you must start a man in the middle attack and this MITM attack is only possible when you've already cracked the preconfigured preshared key and when you are in physical position to perform a MITM attack (that's really not too easy).
Hope that helps ;-
I'm not sure that XAUTH is the same as the "IKE Shared Secret AAA". I got the impression from the Cisco docs that with the latter, either the Radius password or something derived from it was used to create the shared key for the initial Diffie-Hellman exchange.
I've documented my (probably faulty) understanding of the process here:
http://www.jmu.edu/computing/security/vpnauth.shtml
Thanks for any clarity you can lend.
-- Gary Flynn Security Engineer - Technical Services James Madison University
Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe
