[dtlokee]

ok, the MSCHAP solution will not work for your case, that would only be if you were terminateing a PPP connection on the router like a dial in modem or a serial link with PPP authentication. You most likely have RADIUS configured ("aaa authentication login default group radius" or something like that). RADIUS messages are not encrypted so you would need to look at building a IPSec tunnel but if you have many routers it could become very time consuming. You could also look at a TACACS solution which would be encrypted.