Chapter 6

You are the network administrator for Exponent Mathematicians, and you have been asked to review the authentication protocols being used by your RRAS server. What are the available protocols, and how do they work?

You are the administrator of the Get Stuffed Taxidermists chain RRAS server. You have users who are utilizing the Windows Server 2003 VPN, using both IPSec and PPTP. What are those protocols, and which of them is the industry standard?

You have just installed RRAS for providing VPN services to 100 of your end users. You are able to get the first five users connected, but then the server denies access. What is the problem, and how do you fix it?

You're the LAN administrator for the Think About IT Consulting Services company. You have just installed your first RRAS server, and your users are connecting without a problem. You want to see how much traffic is being added to the network because of the additional users. How can you check?

If you use autostatic updates, what must you do the first time you connect to a remote router?

The authentication protocols available include the following:

• EAP-TLS EAP is an extension to PPP. EAP provides a standard mechanism for support of additional authentication methods within PPP, such as smart cards, one-time passwords, and certificates. EAP is critical for secure Windows Server 2003 VPNs because it offers stronger authentication methods (such as the use of smart cards) than relying on the user ID and password schemes used traditionally.

• CHAP CHAP negotiates encrypted authentication by using MD5, an industry-standard hashing scheme. CHAP uses challenge response with one-way MD5 hashing on the response. This allows a user to authenticate to the server without actually sending his or her password over the network. Because CHAP is an industry-standard authentication method, it allows Windows Server 2003 to securely connect to almost all third-party PPP servers.

• MS-CHAP Microsoft created MS-CHAP, an extension of CHAP, to authenticate remote Windows workstations, increasing CHAP's functionality by integrating the encryption and hashing algorithms used on Windows networks. Like CHAP, MS-CHAP uses a challenge-response mechanism with one-way encryption on the response. Although MS-CHAP is consistent with standard CHAP as much as possible, the MS-CHAP response packet is in a format specifically designed for computers running Windows operating systems. MS-CHAPv2 is also available. This new protocol provides mutual authentication, stronger initial data encryption keys, and different encryption keys for sending and receiving.

• SPAP Shiva Password Authentication Protocol (SPAP) is used specifically to allow Shiva client computers to connect to Windows Server 2003 servers and to allow Windows 2000 client computers to connect to Shiva servers.

• PAP PAP uses unencrypted (plaintext) passwords for authenticating users and is considered the least secure authentication protocol available. PAP is usually used as the authentication method of last resortwhen a more secure form of authentication is not available. You might need to use this protocol when you are connecting to a non-Windows-based server.

For more information, see the section "Configuring Remote Access Authentication Protocols."

Understanding the differences between IPSec and PPTP is important. These points should help you distinguish between the two:

• IPSec IPSec is a suite of cryptography-based protection services and security protocols used to provide a secure VPN connection. IPSec provides machine-level authentication, as well as data encryption, for L2TP-based VPN connections. Unlike some other IPSec-based VPNs, Microsoft's implementation uses the L2TP protocol for encrypting the usernames, passwords, and data, whereas IPSec is used to negotiate the secure connection between a computer and its remote tunnel server. All authentication under a Microsoft IPSec VPN occurs through L2TP connections, which use all standard PPP-based authentication protocols to authenticate the user after the secure IPSec communication is established.

• PPTP PPTP is Microsoft's legacy protocol for supporting VPNs. Developed jointly by Microsoft Corporation, U.S. Robotics, and several remote access vendor companies, known collectively as the PPTP Forum, PPTP encountered some security problems in its original form. PPTP has been revised by Microsoft, but it has never been widely accepted by the security community. Although still supported on a variety of vendors' VPN servers, PPTP is rapidly being overtaken by the more widely adopted IPSec protocol.

For more information, see the section "Supported VPN Protocols."

By default, RRAS is configured with five connections for the VPN. You need to open the RRAS application, go into the port properties, and add additional ports as needed. For more information, see the section "Managing Devices and Ports."

To find out the raw numbers on bandwidth through the server, you need to use the Performance console. You go to the RAS Total object and add the Total Bytes Received and Total Bytes Transmitted counters. Then you add the counts of the two counters to get the total additional traffic. For more information, see the section "Troubleshooting Tools."

Autostatic updates do not occur automatically on initiation of a demand-dial connection. Rather, the autostatic update must be manually initiated or a schedule must be put in place to update routes. After the routes have been sent, the two routers do not exchange updates of routing information unless a manual request to update is made or a scheduled request occurs, depending on how autostatic updates are configured within the environment. Therefore, the first time a connection is made, an autostatic update must be manually initiated to configure the router with proper routes to the destination network. For more information, see the section "Autostatic Updates."