Outlining Authentication Options to an RRAS System

 <  Day Day Up  >  

Authentication in any networking environment is critical for validating whether the individual wanting access should be allowed access to network resources. Authentication is an important component in the Windows Server 2003 security initiative. Windows Server 2003 can authenticate a remote access user connection through a variety of PPP authentication protocols, including

  • Password Authentication Protocol (PAP)

  • Challenge Handshake Authentication Protocol (CHAP)

  • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

  • MS-CHAP version 2 (MS-CHAP v2)

  • Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)

  • Extensible Authentication Protocol-Transport Level Protocol (EAP-TLS)

Detailing Authentication Protocols for PPTP Connections

For PPTP connections, only three authentication protocols (MS-CHAP, MS-CHAP v2, and EAP-TLS) provide a mechanism to generate the same encryption key on both the VPN client and VPN server. Microsoft Point-to-Point Encryption (MPPE) uses this encryption key to encrypt all PPTP data sent on the VPN connection. MS-CHAP and MS-CHAP v2 are password-based authentication protocols.

Without a Certificate Authority (CA) server or smartcards, MS-CHAP v2 is highly recommended because it provides a stronger authentication protocol than MS-CHAP. MS-CHAP v2 also provides mutual authentication, which allows the VPN client to be authenticated by the VPN server and the VPN server to be authenticated by the VPN client.

If a password-based authentication protocol must be used, it is good practice to enforce the use of strong passwords (passwords greater than eight characters ) that contain a random mixture of upper- and lowercase letters , numbers , and punctuation. Group Policies can be used in Active Directory to enforce strong user passwords.

Conceptualizing EAP-TLS Authentication Protocols

Extensible Authentication Protocol-Transport Level Protocol (EAP-TLS) is designed to be used along with a certificate infrastructure that uses user certificates or smartcards. With EAP-TLS, the VPN client sends its user certificate for authentication, and the VPN server sends a computer certificate for authentication. This is the strongest authentication method because it does not rely on passwords. Third-party CAs can be used as long as the certificate in the computer store of the IAS server contains the Server Authentication certificate purpose (also known as a certificate usage or certificate issuance policy ). A certificate purpose is identified using an object identifier (OID). If the OID for Server Authentication is 1.2.3.7.6.5.7.8.1, the user certificate installed on the Windows 2000 remote access client must contain the Client Authentication certificate purpose (OID 1.2.3.7.6.5.7.8.2).

Working with Authentication Protocols for L2TP/IPSec Connections

For L2TP/IPSec connections, any authentication protocol can be used because the authentication occurs after the VPN client and VPN server have established a secure connection known as an IPSec security association (SA). Using either MS-CHAP v2 or EAP-TLS provides strong user authentication.

Choosing the Best Authentication Protocol

Very little time is spent by organizations to choose the most appropriate authentication protocol to use with their VPN connections. In many cases, the lack of knowledge about the differences between the various authentication protocols is the reason a selection is not made. In other cases, the desire for simplicity is the reason heightened security is not chosen as part of the organization's authentication protocol decisions. Whatever the case, the following suggestions will assist you in selecting the best authentication protocol for VPN connections:

  • Using the EAP-TLS authentication protocol for both PPTP and L2TP connections is highly recommended if the following conditions exist in an organization. If a smartcard will be used, or if a certificate infrastructure that issues user certificates exists, EAP-TLS is the best and most secure option. Note that EAP-TLS is supported only by VPN clients running Windows XP and Windows 2000.

  • Use MS-CHAP v2 and enforce strong passwords using group policy if you must use a password-based authentication protocol. Although not as strong a security protocol as EAP-TLS, MS-CHAP v2 is supported by computers running Windows XP, Windows 2000, Windows NT 4.0 with Service Pack 4 and higher, Windows ME, Windows 98, and Windows 95 with the Windows Dial-Up Networking 1.3 or higher Performance and Security Update.

 <  Day Day Up  >  


Microsoft Exchange Server 2003 Unleashed
Microsoft Exchange Server 2003 Unleashed (2nd Edition)
ISBN: 0672328070
EAN: 2147483647
Year: 2003
Pages: 393
Authors: Rand Morimoto

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net