Exam 70-124: Objective 4.3: Remote Access Authentication Methods

Before we discuss the remote access authentication methods available within the Windows 2000 RRAS, we should briefly discuss the underlying access protocol, the Point-to-Point Protocol.

Point-to-Point Protocol

Detailed in request for comment (RFC) 2484, PPP LCP Internationalization Configuration Option, dated January 1999, the Point-to-Point Protocol (PPP) provides a standard transport method for point-to-point links. (You can locate this and other RFCs at www.rfc-editor.org.) In the context of this book, the point-to-point links referred to are dial-up connections such as asynchronous modem connections or even Integrated Services Digital Network (ISDN) connections. In addition to a transport method, PPP also defines the authentication protocols that can be used to negotiate a connection prior to allowing network-layer protocols such as TCP/IP or IPX to be transmitted over the connection.

Password Authentication Protocol

Detailed in RFC 1334, PPP Authentication Protocols, dated August 1996, the Password Authentication Protocol (PAP) uses unencrypted (plaintext) passwords for authenticating users on a PPP link. PAP is generally considered an obsolete protocol due to the fact that it is the least secure PPP authentication protocol available. Although PAP does provide a simple method for establishing a PPP connection, about the only place you might encounter it would be if you needed to connect to a legacy, non-Windows server.

Challenge Handshake Authentication Protocol

Detailed in RFC1994, PPP Challenge Handshake Authentication Protocol (CHAP), dated August 1996, the Challenge Handshake Authentication Protocol (CHAP) provides a more secure PPP authentication mechanism than PAP by negotiating an encrypted authentication using Message Digest 5 (MD5). MD5 is an industry-standard hashing scheme that allows connection authentication without actually transmitting the password over the network. You will generally see CHAP used to allow Windows 2000 to securely connect to third-party PPP servers, leveraging the fact that CHAP is an industry-standard protocol.

Microsoft Challenge Handshake Authentication Protocol

Anything the industry can develop, Microsoft can improve on. The Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is an extension of the CHAP authentication protocol used to authenticate remote Windows workstations to Windows PPP servers. This extension increases the core CHAP protocol's capabilities by integrating the encryption and hashing algorithms used on Windows networks. MS-CHAP supports LAN Manager authentication as well as the ability to change passwords as part of the authentication process (similar to the capability available when you log into a Windows 2000 network locally). Like CHAP, MS-CHAP uses a challenge-response mechanism called password hashing, which keeps the password from being sent across the connection. Although Microsoft kept MS-CHAP as consistent with standard CHAP as possible, the MS-CHAP protocol is designed specifically for use on Windows computers.

Discussed in the context of authentication and encryption, a hash is, in its simplest form, a number generated from a string of text. In the context of authentication, a user's password is stored on the system as a hash value, created by applying a specific hashing algorithm to derive the value. When the user attempts to authenticate to the system, he or she enter a password, to which the system applies the same hashing algorithm. That value is then passed across the connection, where it is compared to the stored hash on the host system. If the hashes agree, the password is valid and the connection is established.

For example, let's say Carol has a password of Aardvark. Let's also say that our hashing algorithm states that each letter is supposed to be converted to a number by dividing the numeric value of each letter in the alphabet by 5, then rounding down to the nearest whole number. If the result of the algorithm is less than 1, a 0 is put used instead of the fraction. Once the number is converted, all 0s are removed and the result is the hash. In our example, the initial conversion for Aardvark would be 00304032. Remove the zeros, and the hash becomes 3432. There is no easy way for a cracker to retrieve the password from that hash, and by comparing that number to the stored value you can verify the user's password without ever transmitting it across the network.

MS-CHAP v2

Windows 2000 shipped with a new version of the MS-CHAP known as Version 2 (MS-CHAP v2). The new version corrects several of the issues with the previous version, including removing the support for the notoriously weak LAN Manager authentication, adding the ability for two-way authentication (which allows the client to authenticate the PPP host to which it is connecting), and support for much stronger cryptographic keys for the authentication process.

Extensible Authentication Protocol

Detailed in RFC2284, PPP Extensible Authentication Protocol (EAP), dated March 1998, the Extensible Authentication Protocol (EAP) is an extension of the PPP. EAP was developed in response to an increasing need for stronger authentication mechanisms for remote user access services such as RAS and VPN. As the number of mobile users increased and the technical sophistication of attackers also increased, user ID/password authentication was not secure enough for many organizations that had higher security needs. EAP provides a standard mechanism for support of additional authentication methods within PPP, such as token cards, one-time passwords, or public key authentication using smartcards or certificates. Unlike the user ID/password capabilities of the other PPP authentication protocols, EAP, in conjunction with external authenticators such as a smartcard or token card, is not vulnerable to brute-force or dictionary password attacks.

Windows 2000 leverages the EAP-MD5 CHAP and EAP-TLS authentication methods as part of its remote access and VPN services.

EAP-MD5 CHAP

EAP-MD5 CHAP is an EAP type that uses the same challenge handshake protocol as PPP-based CHAP, but the challenges and responses are sent as EAP messages. In other words, EAP MD5 allows for the use of external authentication utilizing external hosts while still allowing the use of a user ID and password.

An example of this use is using EAP in conjunction with an external Remote Authentication Dial-In User Service (RADIUS) server for storing the database of user accounts and passwords that could authenticate to a RAS server. The specifics of this use are detailed in RFC2869, RADIUS Extensions, dated June 2000. Windows 2000 Server operating systems include RADIUS authentication capabilities as part of the Internet Authentication Service (IAS).

It is important to note that although this form of EAP does add capabilities for PPP authentication, because the underlying authentication is still based on a user ID/password combination, this type of EAP is still vulnerable to a brute-force or dictionary password attack.

EAP-TLS

Detailed in RFC2716, PPP EAP TLS Authentication Protocol, dated October 1999, EAP-TLS is a mutual authentication method similar to MS-CHAPv2. This means that not only can the server authenticate the client as part of the authentication process, but the client can also verify the identity of the server. EAP-TLS is also the EAP type that is used in certificate-based or token-based security environments. As a result, EAP-TLS provides the most secure authentication method.

EAP and Smartcards/Certificates

If you want to use the strongest authentication available for Windows 2000, you will need to use a smartcard. A smartcard is like a credit card with an embedded computer chip that stores user data. In the case of Windows 2000 authentication, this data is an X.509 certificate that proves you are who you say you are. The card data is provided to the system via an external smartcard reader, connected to the authenticating computer. As we have discussed, in order to use a smartcard for remote access authentication, you must use EAP-TLS.

This topic is outside the scope of the exam, but if you want to use smartcards for remote access authentication, you need to take the following steps:

1. Purchase a smartcard and a smartcard reader for your remote computer. You need to be able to write your certificate data to the card for authentication.

2. Enable and configure remote access on your Windows 2000 RRAS server. (We do some exercises on this topic in the next sections of the chapter.)

3. Install a PKI computer certificate on your Windows 2000 RRAS server. This certificate is used to authenticate the identity of the remote access server. In order to do this, you need a certificate authority for issuing certificates.

4. Enable a smartcard logon process for the domain your Windows 2000 RRAS server is in.

5. Enable EAP and configure the smartcard service on your Windows 2000 RRAS server.

6. Enable smartcard authentication on the remote access client computer.

This is a very high-level process. If you determine you need to utilize smartcard authentication with your Windows 2000 RRAS server, refer to the Microsoft Windows 2000 documentation for specific instructions. This discussion is included here to provide an understanding of the complexity of utilizing smartcards for remote access authentication with the EAP TLS protocol.

Now let's take a look at actually configuring a Windows 2000 RAS for dial-in access.