MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)
Lesson 2: Managing RRAS Authentication
To provide truly secure remote access, you need more than a simple scheme of user names and passwords. RRAS provides a wide variety of authentication methods, from simple, unencrypted passwords for low-security applications to highly secure authentication schemes for applications in which security is paramount. Windows 2000 also supports Remote Authentication Dial-In User Service (RADIUS), a dedicated service for authenticating remote users with high security and detailed accounting that works with a broad range of third-party remote access devices and services.
After this lesson, you will be able to
-
Configure Windows RRAS authentication
-
Install IAS
-
Configure RADIUS authentication
Estimated lesson time: 30 minutes
Configuring Windows RRAS Authentication
Windows 2000 provides a number of standard authentication methods for remote users. This section describes how to choose authentication methods for users.
PAP and CHAP
Most of the authentication methods available in RRAS are based on Password Authentication Protocol (PAP), which supports simple password authentication, and Challenge Handshake Authentication Protocol (CHAP), a more sophisticated protocol that uses two-way handshakes to authenticate users. These protocols are all descendents of PAP and are increasingly secure and resilient. As with all protocols, always select the newest and most secure protocol that your range of clients support. You can enable any of the following variations of these protocols:
-
Unencrypted password (PAP) is the basic PAP protocol. It sends passwords as clear text so it is vulnerable to network snooping. You should not use PAP unless you must support a legacy application that requires it.
-
Shiva Password Authentication Protocol (SPAP) is an extension to the PAP protocol used to support Shiva LAN Rover devices. It supports basic encryption of passwords, but is not challenge and response, so it is vulnerable to replay attacks in which hackers capture encrypted passwords and re-use them in encrypted form.
-
Encrypted authentication (CHAP) provides authentication with encrypted passwords. In this protocol, the server sends a challenge to the client, and the client uses the data from the challenge to calculate a one-way encrypted value, or hash, from the user name and password that can be used to authenticate the user without sending the password across the network.
-
Microsoft encrypted authentication (MS-CHAP) is a Microsoft extension of CHAP that improves security by storing passwords in encrypted form. This is the authentication used by Microsoft Windows 95 and Windows 98 clients.
-
Microsoft encrypted authentication version 2 (MS-CHAP v2) is the Windows 2000 implementation of MS-CHAP. It does not support earlier Windows client versions. MS-CHAP v2 improves security by eliminating support for LAN Manager encryptions and performs mutual authentication (the client validates the server) to ensure that no man-in-the-middle attack can occur. You should use MS-CHAP v2 whenever possible.
EAP
Extensible Authentication Protocol (EAP) is an authentication protocol that can be extended with additional authentication methods that you can install separately. This protocol is commonly used for smart card authentication or certificate-based authentication. Click the EAP Methods button to open a dialog box that lists the EAP methods that are installed on the current RRAS server.
Unauthenticated Access
If you enable the Allow Remote Systems To Connect Without Authentication option, remote systems that do not support authentication can connect without supplying a user name and password. You can use this method when another system is providing security, such as Dialed Number Identification Service (DNIS). When this option is enabled, clients can also connect using the Guest user account.
The Allow Remote Systems To Connect Without Authentication option is a security risk and should not be enabled unless you must accommodate non-Windows clients. If you use unauthenticated access, ensure that some other authentication service prevents hackers from reaching private resources, such as a firewall that you've placed between the RRAS server and the interior of the network.
Using RADIUS and IAS
RADIUS is a standard service for user authentication, which provides centralized authentication, multiple authentication servers, and detailed activity logging for remote access users. RADIUS provides a way to decouple user authentication from the server or device that receives the connection or provides access to the port. It allows Administrators to centralize the authentication function on a small group of servers dedicated to authentication while distributing remote access servers or devices throughout the enterprise. Furthermore, by decoupling authentication from remote access, it allows the authentication service to be used by other services that require authentication, such as the 802.1x port authentication protocol provided to secure wireless access, as described in Chapter 10, "Wireless Security."
Understanding IAS
Microsoft's implementation of RADIUS, provided in Windows 2000 Server, is called IAS (Internet Authentication Service). The IAS server uses the Active Directory database to store authentication information so all IAS servers can be managed from a single console.
When you use IAS to provide remote access authentication, the remote clients do not directly communicate with the IAS server. Instead, clients connect to a normal RRAS server, known in RADIUS terminology as the network access server (NAS). Dial-up clients connect to network access servers, which then contact the nearest IAS server to authenticate each user. A network access server can be any RADIUS aware device or service that allows users to connect to a port, such as an RRAS server, an 802.11b wireless access point, or an 802.1x compliant Ethernet switch. Figure 9.7 shows how this process works in detail.
Figure 9-7. Dial-up clients connect to an RRAS server, which trusts the IAS RADIUS server for authentication
The same Windows 2000 Server computer can be used as both the RRAS server and the IAS server. Alternatively, you can use any number of IAS servers and RRAS servers your network architecture requires to provide authentication across a WAN. In most situations, a single IAS server is capable of handling authentication for many thousands of users.
Configuring RADIUS Authentication
If an IAS server is available on the network, you can configure RRAS servers to use RADIUS authentication. After you select RADIUS authentication, you must restart the RRAS server before the changes will take effect.
Before an RRAS server can authenticate with an IAS server, you must add the RRAS server as a client of the IAS server.
Configuring RADIUS authentication is simple. After selecting the RADIUS server in the RRAS Server Properties dialog box, you can specify the following options for each server:
-
Server Name. The name of the RADIUS server.
-
Secret. A shared secret (password) used to control access to the RADIUS server. You must specify the same password later when you add the server as a client for the IAS server. The NAS (RRAS server) and RADIUS server use this shared secret to authenticate and encrypt communications among themselves.
-
Time-out. The number of seconds the RAS server will wait for a response from a RADIUS server before trying a different server. The default is five seconds.
-
Initial Score. A simple measure of availability for RADIUS servers. The server with the highest score will be queried first.
-
Port. The UDP port used on the RADIUS server for incoming authentication requests. The default value, 1813, is correct for most current RADIUS servers, including Microsoft IAS. UDP port 1645 is also used for some devices.
Dial-up computers are not RADIUS clients. Each RADIUS client is an RRAS server or other hardware or software that provides remote access. Dial-up clients connect to this server, which in turn authenticates using the RADIUS server.
In this practice, you configure authentication on an RRAS server, including Windows authentication and RADIUS, and install and configure an IAS server. To complete this practice, you will need a Windows 2000 Server computer with the RRAS component installed.
Exercise 1: Selecting Windows Authentication Methods
In this exercise, you configure an RRAS server to use Windows authentication and select the authentication methods that will be permitted for remote clients. Some of the options described might already be selected on your server.
To use Windows authentication
Perform this procedure on the RRAS server computer.
-
Log on as Administrator.
-
Click Start, point to Programs, point to Administrative Tools, and click Routing And Remote Access Service.
-
Select the RRAS server (dc01) in the console tree. The right-hand pane displays a list of components of the RRAS server.
-
From the Action menu, choose Properties. The Properties dialog box opens.
-
Select the Security tab. The Security properties are displayed, as shown in Figure 9.8.
Figure 9-8. The Security tab of the Properties dialog box
-
In the Authentication Provider list, click Windows Authentication.
-
Click OK to complete the change.
If you were previously using a different authentication method, you will need to restart the RRAS server before this change takes effect.
To select authentication methods
-
Select the server (dc01) in the console tree, and, from the Action menu, choose Properties. The Properties dialog box is displayed.
-
Select the Security tab.
-
Click Authentication Methods. The Authentication Methods dialog box is displayed, as shown in Figure 9.9.
Figure 9-9. The Authentication Methods dialog box
-
Select the MS-CHAP v2 check box, and clear the other check boxes.
Why would you limit authentication options rather than simply select them all?
-
Click OK to close the Authentication Methods dialog box, and click OK to close the Properties dialog box and complete the process.
Exercise 2: Working with RADIUS and IAS
In this exercise, you configure an RRAS server to use RADIUS authentication and configure it to access a RADIUS server. You also install the IAS Server component and configure the IAS server to support the RRAS server as a client.
To select RADIUS authentication
-
Select the RRAS server (dc01) in the console tree of the Routing And Remote Access management console. The right-hand pane displays a list of components of the RRAS server, as shown in Figure 9.10.
Figure 9-10. The components of the RRAS server
-
From the Action menu, choose Properties, and select the Security tab.
-
In the Authentication Provider list, click RADIUS Authentication.
-
Click OK to complete the change.
If you were previously using a different authentication method, you will need to restart the RRAS server before this change takes effect.
To install the IAS server
Perform this procedure on the RRAS server computer, logged on as the Administrator. As an alternative, you can use a different Windows 2000 Server computer for the IAS server.
-
In Control Panel, double-click Add/Remove Programs.
-
Click Add/Remove Windows Components. A list of current Windows 2000 components is displayed.
-
Click Networking Services in the list, and click Details. A list of networking components is displayed, as shown in Figure 9.11.
Figure 9-11. The Networking Services dialog box
-
Select the Internet Authentication Service check box, and click OK.
-
In the Windows Components Wizard, click Next to install the component.
The new components you selected are now installed. The IAS server will be started automatically.
To configure a RADIUS server
Perform this procedure on the RRAS server computer, logged on as the Administrator. The Routing And Remote Access console should be started.
-
Select the RRAS server (dc01) in the console tree. The right-hand pane displays a list of components of the RRAS server.
-
From the Action menu, choose Properties, and select the Security tab.
-
Click the Configure button next to the RADIUS Authentication provider.
The RADIUS Authentication dialog box is displayed, as shown in Figure 9.12. The local IAS server (dc01) appears in the list if you have previously installed the IAS server.
Figure 9-12. The RADIUS Authentication dialog box
-
Select the local server in the list, and click Edit. The Edit RADIUS Server dialog box is displayed, as shown in Figure 9.13.
Figure 9-13. The Edit RADIUS Server dialog box
-
Change the Time-out setting to 10 seconds.
To use a shared secret, specify it in this page. You will also need to specify the same shared secret when you configure the client from the IAS console in the next procedure.
-
Click OK to complete the edit, and click OK to close the RADIUS Authentication dialog box. A message appears reminding you to restart the RRAS server.
-
Click OK to save the changes.
You must restart the RRAS server before the changes you made here will take effect.
To add a client for the IAS server
Perform this procedure from the computer on which you installed IAS Server. You should be logged on as the Administrator.
-
From the Administrative Tools menu, choose Internet Authentication Service. The Internet Authentication Service management console is displayed, as shown in Figure 9.14.
Figure 9-14. The Internet Authentication Service management console
-
Select Clients in the console tree. Any existing clients are listed in the right-hand pane.
-
From the Action menu, choose New Client. The Add Client Wizard is displayed, as shown in Figure 9.15.
Figure 9-15. The Add Client Wizard
-
In the Friendly Name box, type DC01. Click Next to continue. The Client Information page is displayed, as shown in Figure 9.16.
Figure 9-16. The Client Information page
-
Type DC01 in the Client Address box.
-
Click Microsoft in the Client-Vendor list.
-
Click Finish to add the client.
To use a shared secret, type it in the two boxes provided on the Client Information page. You must specify the same shared secret in the RADIUS Authentication dialog box of the RRAS console.
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
-
Which RRAS authentication type can be used with an RRAS server to provide centralized authentication?
-
Which Windows authentication method uses completely unencrypted passwords?
-
What Windows authentication method would you use to support smart card authentication?
-
How do you manage authentication and security policy settings for an RRAS server when RADIUS authentication is in use?
-
In a network using an IAS server to provide centralized management of dial-in authentication for several RRAS servers, to which machine do dial-up clients send authentication requests?
Lesson Summary
-
Windows 2000 Routing and Remote Access Service (RRAS) supports two basic authentication systems, Windows authentication and RADIUS. Windows authentication uses separate security settings for each RRAS server, while RADIUS supports centralized control of authentication and security settings.
-
Windows authentication methods include unencrypted PAP and SPAP, which extends this protocol using encrypted passwords. CHAP uses a handshake system with a one-way encryption to avoid sending passwords over the network. MS-CHAP is an enhanced version of CHAP. MS-CHAP version 2 improves the security of MS-CHAP authentication by eliminating weak LAN Manager encryptions and by mutually authenticating the client and server to eliminate man-in-the-middle attacks.
-
Remote Authentication Dial-In User Service (RADIUS) is a standard for centralized authentication, management, and accounting for remote access. You can configure Windows 2000 RRAS to use RADIUS authentication instead of Windows authentication.
-
Windows 2000 Server includes Internet Authentication Service (IAS), a RADIUS server implementation. A computer running IAS can provide centralized security management and authentication for any number of RRAS servers, and it stores its settings in the Active Directory. An Internet Authentication Service management console allows you to configure authentication and security settings.