Radius PAP Security

This document describes how PAP is secured when used with PhenixID MFA Server. It also suggests best practices for PAP security.


When passing credentials protected with password authentication protocol (PAP), such as through a VPN/NAS, a secure tunnel generally will first be established using SSTP (SSL) or L2TP (IPsec). When the VPN/NAS forwards the password to PhenixID MFA Server, it is encrypted using the RADIUS shared secret as an encryption key. For further internal protection, network admins may isolate this traffic.

Best practices

To ensure the highest level of security and minimize risk, PhenixID suggests the following:

  • Use strong shared secrets and treat them as you would a super-user password.
  • Use a unique shared secret for each VPN/NAS endpoint.
  • Segment this traffic off of any end user-accessible networks.