VPN Authentication Method Options
The authentication protocol is used to verify the identity of the remote-access client.
ISA Server 2004 supports the following VPN authentication protocols:
1- PAP Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. PAP is typically used if the remote-access client and remote-access server cannot negotiate a more secure form of authentication.
2- SPAP The Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by Shiva. When a computer running Windows XP Professional connects to a Shiva LAN Rover, it uses SPAP, as does a Shiva client that connects to a server running Routing and Remote Access. This form of authentication is more secure than plaintext but less secure than CHAP or MS-CHAP.
3- CHAP The Challenge Handshake Authentication Protocol (CHAP) is a challenge response authentication protocol that uses the Message Digest 5 (MD5) algorithm to hash the response to a challenge that the remote-access server issues. CHAP is used by various vendors of dial-in servers and client computers, including Macintosh and UNIX. Data cannot be encrypted when you use the CHAP protocol. Therefore, CHAP is not considered a secure option.
4- MS-CHAP Microsoft CHAP (MS-CHAP) is similar to CHAP, except that MS-CHAP can be used with MPPE to encrypt data. MS-CHAP is more secure than CHAP, but use MS-CHAP only if you run earlier Microsoft operating systems that require it. Both CHAP and MS-CHAP are only as secure as the strength of the user’s password.
5- MS-CHAP version 2 MS-CHAP version 2 (MS-CHAP v2) was designed to fix many of the security issues with MS-CHAP, including the lack of mutual authentication. MS-CHAP v2 uses mutual authentication, so both the client and the server are authenticated. In addition, data is encrypted by using separate session keys for transmitted and received data, which makes it more difficult for an attacker to sniff the traffic and use a brute-force attack on the key. The session-key generation is
not entirely based on the user’s password, so a weak password will not necessarily leave the session vulnerable. MS-CHAP v2 is supported by VPN clients running Windows XP, Windows Server 2003, Windows 2000, Windows NT Workstation 4.0 with Service Pack 4 (SP4) and later, Windows Me or Windows 98.
6- EAP Extensible Authentication Protocol (EAP) is the most secure remote authentication protocol. It uses certificates on both the client and the server to provide mutual authentication, data integrity, and data confidentiality. It negotiates encryption algorithms and secures the exchange of session keys. Use EAP if you are implementing multifactor authentication technologies such as smart cards or universal serial bus (USB) token devices.
Choosing an Authentication Server
In addition to choosing the authentication method and protocol, you also need to decide whether you will use RADIUS or RSA SecurID for authentication. Just like ISA Server can be configured to use these services to enable authentication for Web publishing rules, it can also use them to authenticate VPN users. ISA Server can use IAS servers or any other RADIUS-compliant server.
Windows 2000 Server and Windows Server 2003 both include Internet Authentication Service, which is a RADIUS-compliant server. When ISA Server is configured to use the IAS server for authentication, the VPN server component forwards the credentials presented to it by the VPN client to the IAS server on the internal network. The IAS server forwards these credentials to a domain controller that authenticates the user.
The most important advantage for using RADIUS to authenticate VPN clients is so that you can use domain credentials for authentication when the server running ISA Server is not a member of the network domain. This adds a layer of security to the ISA Server firewall/VPN server solution because, if the firewall is compromised in any way, the machine’s domain membership cannot be leveraged to attack the internal network.
A second advantage for using RADIUS for authentication is that this configuration allows you to centralize Remote Access Policy administration. For example, you could have five servers running ISA Server configured as VPN remote-access servers configured in a network load-balancing (NLB) array. You could configure the settings manually on each server, or you could configure each of the servers to use an IAS server for authentication and then configure the Remote Access Policies once on the IAS server. By doing this, the same remote-access policies are automatically applied to each computer running ISA Server.
The authentication protocol is used to verify the identity of the remote-access client.
ISA Server 2004 supports the following VPN authentication protocols:
1- PAP Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. PAP is typically used if the remote-access client and remote-access server cannot negotiate a more secure form of authentication.
2- SPAP The Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by Shiva. When a computer running Windows XP Professional connects to a Shiva LAN Rover, it uses SPAP, as does a Shiva client that connects to a server running Routing and Remote Access. This form of authentication is more secure than plaintext but less secure than CHAP or MS-CHAP.
3- CHAP The Challenge Handshake Authentication Protocol (CHAP) is a challenge response authentication protocol that uses the Message Digest 5 (MD5) algorithm to hash the response to a challenge that the remote-access server issues. CHAP is used by various vendors of dial-in servers and client computers, including Macintosh and UNIX. Data cannot be encrypted when you use the CHAP protocol. Therefore, CHAP is not considered a secure option.
4- MS-CHAP Microsoft CHAP (MS-CHAP) is similar to CHAP, except that MS-CHAP can be used with MPPE to encrypt data. MS-CHAP is more secure than CHAP, but use MS-CHAP only if you run earlier Microsoft operating systems that require it. Both CHAP and MS-CHAP are only as secure as the strength of the user’s password.
5- MS-CHAP version 2 MS-CHAP version 2 (MS-CHAP v2) was designed to fix many of the security issues with MS-CHAP, including the lack of mutual authentication. MS-CHAP v2 uses mutual authentication, so both the client and the server are authenticated. In addition, data is encrypted by using separate session keys for transmitted and received data, which makes it more difficult for an attacker to sniff the traffic and use a brute-force attack on the key. The session-key generation is
not entirely based on the user’s password, so a weak password will not necessarily leave the session vulnerable. MS-CHAP v2 is supported by VPN clients running Windows XP, Windows Server 2003, Windows 2000, Windows NT Workstation 4.0 with Service Pack 4 (SP4) and later, Windows Me or Windows 98.
6- EAP Extensible Authentication Protocol (EAP) is the most secure remote authentication protocol. It uses certificates on both the client and the server to provide mutual authentication, data integrity, and data confidentiality. It negotiates encryption algorithms and secures the exchange of session keys. Use EAP if you are implementing multifactor authentication technologies such as smart cards or universal serial bus (USB) token devices.
Choosing an Authentication Server
In addition to choosing the authentication method and protocol, you also need to decide whether you will use RADIUS or RSA SecurID for authentication. Just like ISA Server can be configured to use these services to enable authentication for Web publishing rules, it can also use them to authenticate VPN users. ISA Server can use IAS servers or any other RADIUS-compliant server.
Windows 2000 Server and Windows Server 2003 both include Internet Authentication Service, which is a RADIUS-compliant server. When ISA Server is configured to use the IAS server for authentication, the VPN server component forwards the credentials presented to it by the VPN client to the IAS server on the internal network. The IAS server forwards these credentials to a domain controller that authenticates the user.
The most important advantage for using RADIUS to authenticate VPN clients is so that you can use domain credentials for authentication when the server running ISA Server is not a member of the network domain. This adds a layer of security to the ISA Server firewall/VPN server solution because, if the firewall is compromised in any way, the machine’s domain membership cannot be leveraged to attack the internal network.
A second advantage for using RADIUS for authentication is that this configuration allows you to centralize Remote Access Policy administration. For example, you could have five servers running ISA Server configured as VPN remote-access servers configured in a network load-balancing (NLB) array. You could configure the settings manually on each server, or you could configure each of the servers to use an IAS server for authentication and then configure the Remote Access Policies once on the IAS server. By doing this, the same remote-access policies are automatically applied to each computer running ISA Server.