Authentication
in any networking environment is critical for validating whether the
individual wanting access should be allowed access to network resources.
Authentication is an important component in the Windows Server 2008 R2
security initiative. Windows Server 2008 R2 can authenticate a remote
access user connection through a variety of PPP authentication
protocols, including the following:
Password Authentication Protocol (PAP)
Challenge-Handshake Authentication Protocol (CHAP)
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
MS-CHAP version 2 (MS-CHAP v2)
Extensible Authentication Protocol (EAP)
Protected Extensible Authentication Protocol (PEAP)
Authentication Protocols for PPTP Connections
For PPTP
connections, only four authentication protocols (MS-CHAP, MS-CHAP v2,
EAP, and PEAP) provide a mechanism to generate the same encryption key
on both the VPN client and VPN server. Microsoft Point-to-Point
Encryption (MPPE) uses this encryption key to encrypt all PPTP data sent
on the VPN connection. MS-CHAP and MS-CHAP v2 are password-based
authentication protocols.
Without a Certificate
Authority (CA) server or smart cards, MS-CHAP v2 is highly recommended
because it provides a stronger authentication protocol than MS-CHAP.
MS-CHAP v2 also provides mutual authentication, which allows the VPN
client to be authenticated by the VPN server and the VPN server to be
authenticated by the VPN client.
If a password-based
authentication protocol must be used, it is good practice to enforce the
use of strong passwords (passwords greater than eight characters) that
contain a random mixture of upper- and lowercase letters, numbers, and
punctuation. Group policies can be used in Active Directory to enforce
strong user passwords.
EAP and PEAP Authentication Protocols
Extensible
Authentication Protocol (EAP) and Protected Extensible Authentication
Protocol (PEAP) are designed to be used along with a certificate
infrastructure that uses user certificates or smart cards.
With EAP, the VPN client
sends its user certificate for authentication, and the VPN server sends a
computer certificate for authentication. This is the strongest
authentication method because it does not rely on passwords. Third-party
CAs can be used as long as the certificate in the computer store of the
Network Policy Server (NPS) server contains the Server Authentication
certificate purpose (also known as a certificate usage or certificate
issuance policy). A certificate purpose is identified using an object
identifier (OID). If the OID for Server Authentication is
1.3.6.1.5.5.7.3.1, the user certificate installed on the Windows remote
access client must contain the Client Authentication certificate purpose
(OID 1.3.6.1.5.5.7.3.2).
PEAP does not specify
an authentication method, but rather secures EAP by creating an
encrypted channel between the client and the server. As such, it
provides additional security on top of EAP. PEAP can even be used with
MS-CHAP v2 to provide additional security to the password authentication
protocol.
Authentication Protocols for L2TP/IPSec Connections
For L2TP/IPSec connections,
any authentication protocol can be used because the authentication
occurs after the VPN client and VPN server have established a secure
connection known as an IPSec security association (SA). The use of a
strong authentication protocol such as MS-CHAP v2, EAP, or PEAP is
recommended to provide strong user authentication.
Choosing the Best Authentication Protocol
Organizations
spend very little time choosing the most appropriate authentication
protocol to use with their VPN connections. In many cases, the lack of
knowledge about the differences between the various authentication
protocols is the reason a selection is not made. In other cases, the
desire for simplicity is the reason heightened security is not chosen as
part of the organization’s authentication protocol decisions. Whatever
the case, we make the following suggestions to assist you in selecting
the best authentication protocol for VPN connections:
Using the EAP or PEAP
authentication protocol for PPTP, L2TP, and SSTP connections is highly
recommended if the following conditions exist in an organization. If a
smart card will be used, or if a certificate infrastructure that issues
user certificates exists, then EAP is the best and most secure option.
Note that EAP is supported only by VPN clients running Windows XP,
Windows 2000 client, Windows Vista, Windows 7, Windows 2000 Server,
Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2.
Use
PEAP with EAP-MS-CHAP v2 as a method of easing the deployment burden.
In this configuration, certificates are required only for the VPN server
infrastructure and not for the clients. However, the key generation is
done using Transport Level Security (TLS) with mutual authentication for
greatly enhanced security.
Use
MS-CHAP v2 and enforce strong passwords using Group Policy if you must
use a password-based authentication protocol. Although not as strong of a
security protocol as PEAP or EAP, MS-CHAP v2 is supported by computers
running Windows Server 2008, Windows Server 2008 R2, Windows Server
2003, Windows 2000 Server, Windows Vista, Windows 7, Windows XP, Windows
2000 client, Windows NT 4.0 with Service Pack 4 and higher, Windows Me,
Windows 98, and Windows 95 with the Windows Dial-Up Networking 1.3 or
higher Performance and Security Update.
