Almost every business network today has (or will have)
clients connecting to the network remotely, via dialup and/or VPN connections.
In our mobile world, employees need access to network resources when they’re
away from the office; this includes executives who connect from hotel rooms
when on the road, roaming support people who connect from satellite offices,
and telecommuters who connect from home.
The ability to verify identity (authentication) is even more
important for remote users than for those who are on-site, since without a
secure authentication scheme anyone could get into the network and view, copy,
change or even destroy important data.
The choices you make have implications for ease of
administration and security as your network grows.
Remote access authentication options
Remote access servers can be configured as dial-in servers
or VPN servers. Dial-in servers use the Point-to-Point Protocol (PPP) or in the
case of some older servers, the Serial Line Internet Protocol (SLIP) as the
link layer protocol. VPN servers can use the Point-to-Point Tunneling Protocol
(PPTP), Layer 2 Tunneling Protocol (L2TP), or IPSec
tunnel mode to establish a secure “tunnel” over the Internet. Windows
remote access servers support the following set of authentication methods:
Authentication Protocol (PAP)
Handshake Authentication Protocol (CHAP)
implementation of CHAP (MS-CHAP)
version of MS-CHAP (MS-CHAP2)
Authentication Protocol/Transport Layer Security (EAP/TLS)
For security purposes, PAP can be excluded as a viable
option for most businesses because it sends passwords across the phone line or
Internet in plain text. The only reason to use PAP is if the remote access
client and remote access server are not able to negotiate a more secure
authentication method. Many VPN/firewall products do not support PAP because of
the security issue.
CHAP is an Internet standard defined in RFC 1994. It uses a
three-way handshake to verify identity. The three steps in the process are:
authenticator sends a challenge message to the client.
client responds with a value that’s calculated via the Message Digest 5
(MD-5) one-way hash function.
authenticator also calculates the hash value and compares the client’s
response with its own calculation. If the values match, the connection is
Since the password itself is never sent over the link, CHAP
is much more secure than PAP. CHAP can be used by most third-party remote
MS-CHAP is Microsoft’s version of the standard CHAP method.
It uses the same three-way handshake process, but is designed to be used by
computers running Windows operating systems and integrates the encryption and
hashing algorithms that are used on Windows networks. Version 2 adds such
features as mutual (two-way) authentication of both client and server, as well
as stronger encryption keys. MS-CHAP v2 is more secure than CHAP for Windows
EAP/TLS provides for use of more secure authentication
methods such as smart cards, Kerberos, and digital certificates, which are much
more secure than the user name/password authentication methods above. It’s
defined in RFC 2716.
The remote access server can act as the EAP/TLS
authenticator, or it can act as a “pass through,” encapsulating the EAP packets
and sending them to a backend security server such as a Remote Authentication
Dial In User Server (RADIUS) server.
RADIUS provides for a centralized authentication database
and can handle authorization and accounting in addition to authentication.
Authorization refers to granting specific services to users based on their
authenticated identity; restrictions can be imposed on certain users.
Accounting refers to tracking the use of the network by users and can be done
for billing, management, or security purposes. RADIUS is defined in RFCs 2865
RADIUS is supported by dial-in remote access servers, VPN
servers, and wireless access points (WAPs). In addition to the authentication
protocols listed above, RADIUS supports Protected EAP (PEAP) for wireless
Microsoft’s implementation of RADIUS is the Internet
Authentication Service (IAS). It’s built into the Windows 2000 Server and
Windows Server 2003 operating systems. Microsoft vendor-specific RADIUS
attributes are defined in RFC 2548. IAS integrates with the Active Directory
service and allows AD user credentials to be used for remote access (single
Making it scalable
As your organization grows, the number of remote access
users is likely to grow, as well. Managing authentication for a large number of
users can become problematic. It’s especially helpful to have a way to track
users’ remote usage in a large organization. In addition, security becomes more
important as the organization grows.
By using EAP/TLS as your remote access authentication
method, you ensure the most secure remote access authentication and at the same
time make it easy to implement a RADIUS solution that will scale up with the
growth of the network.
You can use remote access policies to control groups of
users, and in a multi-domain environment, IAS allows you to use user principal
names (UPNs) to identify users. This is important in large organizations with
complex networks because a user can have the same UPN regardless of which
domain he/she belongs to.
Windows 2003 Server Enterprise Edition’s IAS implementation
puts no limits on the number of RADIUS clients you can configure or on the
number of RADIUS server groups you can have. Even more importantly, a single
RADIUS server can support many remote access servers, so that as you add
additional dial-in and/or VPN servers, their users are all still authenticated
through one central point: the RADIUS server. The fact that the authentication
server is separate from the access server(s) makes this both more secure and
more scalable than other authentication methods.