Choosing EAP-TLS or MS-CHAP v2 for User-Level Authentication
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
All site-to-site connection technologies require user-level authentication. The "user" to be authenticated is the calling router. To prevent a nonauthorized router from making a connection, the Routing and Remote Access service requires that the calling router requesting the connection be authenticated by the answering router.
The Routing and Remote Access service can use any of several PPP authentication methods to provide user-level authentication. For optimal security, choose one of the two strongest recommended PPP user authentication methods — EAP-TLS or MS-CHAP v2.
For more information about the other PPP authentication protocols (in addition to EAP-TLS and MS-CHAP v2) supported by Windows Server 2003, Windows 2000 Server, and Windows NT Server 4.0, see "Authentication methods" in Help and Support Center for Windows Server 2003.
Certificate-based EAP-TLS
EAP-TLS is a more secure protocol than MS-CHAP v2 for user-level authentication on a dial-up, PPTP VPN, or L2TP/IPSec VPN connection. EAP-TLS requires a certificate infrastructure, because it uses a user certificate for the calling router and a computer certificate for the authenticating server of the answering router. The identity of the authenticating server depends on the authentication provider:
If Windows provides authentication, as is the case for a site-to-site only connection, the computer certificate is installed on the answering router. The answering router must be joined to the Active Directory domain.
If RADIUS provides authentication, as might be the case if your answering router also supports remote access users, the computer certificate is installed on the RADIUS server. If the RADIUS server is an IAS server, it must be joined to the Active Directory domain. In this case, the answering router does not need to belong to the domain.
EAP-TLS is recommended for all connection types both because it is the strongest method for user authentication and because it provides mutual user authentication between calling and answering routers. The calling router submits a user certificate for authentication, and the answering router (or RADIUS server) submits a computer certificate for authentication. With EAP-TLS, the user account that the answering router uses to authenticate and authorize the calling router must be an Active Directory user account.
If you plan to use certificate-based EAP-TLS, you can use a third-party CA if the conditions in Table 10.5 are met.
Table 10.5 Requirements for Using a Third-Party CA
Certificates Installed on Authenticating Server (Answering Router or RADIUS Server) | Certificates Installed on Calling Router |
---|---|
|
|
For examples of how to deploy EAP-TLS certificate-based user authentication for site-to-site connections, see Deploying certificate-based authentication for demand-dial routing in Help and Support Center for Windows Server 2003. For more information about certificate types and requirements, see Certificate Services in Help and Support Center for Windows Server 2003, and see "Designing a Public Key Infrastructure" in Designing and Deploying Directory and Security Services of this kit.
Password-based MS-CHAP v2
Like EAP-TLS, MS-CHAP v2 also provides mutual authentication between the calling router and the answering router. MS-CHAP v2 is a password-based authentication method in which the answering router uses either an Active Directory user account or a local user account to authenticate the calling router. MS-CHAP v2 is the recommended method for user authentication if a certificate infrastructure is not available.
If you use a local user account for MS-CHAP v2 authentication, the demand-dial routers do not need to join the Active Directory domain. Be sure to use strong passwords with MS-CHAP v2. In an Active Directory domain, you can use Group Policy settings to enforce the use of strong passwords.
Advantages of EAP-TLS and MS-CHAP v2
Although several weaker PPP authentication protocols are also available for user authentication, EAP-TLS and MS-CHAP v2 are the preferred methods because both provide the following benefits:
Mutual authentication. With mutual authentication, the calling router is authenticated by the answering router, and the answering router is then authenticated by the calling router. This mutual authentication prevents an attacker from masquerading as the answering router, whereas other types of authentication verify only the identity of the calling router.
Encryption features. In addition, for a dial-up or PPTP connection, EAP-TLS and MS-CHAP v2 provide the following encryption features. (L2TP/IPSec generates its encryption keys using IPSec and therefore does not need EAP-TLS or MS-CHAP v2 for encryption keys.)
Stronger initial encryption keys. MS-CHAP v2 uses both a unique session identifier and user credentials to generate encryption keys. EAP-TLS uses user certificates to verify user identity. (In contrast, MS-CHAP uses only the user name and password to create these keys, making it easier for attackers to determine the keys in use.)
Different keys for sending and receiving data. The calling router and answering router use separate keys to encrypt data and to send data. Using different keys makes it more difficult for attackers to determine which key is used for encryption.
MPPE for encryption. MPPE uses Rivest-Shamir-Adleman (RSA) RC4 stream ciphering with 40-bit, 56-bit, and 128-bit encryption keys. (RC4, developed by RSA Data Security, is a secret key cryptographic method that uses a variable-length key.) Encryption key strength is negotiated during connection establishment (as is authentication method). The client (calling router) and server (answering router) negotiate the strongest mutually allowable key size. If the answering router requires a larger key than that supported on the calling router, the answering router rejects the connection.
For more information about encryption for site-to-site connections, see "Choosing MPPE or IPSec Encryption" later in this chapter.