Information Technology Reference
In-Depth Information
> netsh ras AAAA add authserv name=RADIUS1 secret=NCC1701A signature enabled
■
Note
You can add additional RADIUS servers by issuing the
netsh ras AAAA add authserv
command
with appropriate parameters for each RADIUS server.
To delete a RADIUS server against which your RRAS server authenticates, run the
netsh
ras AAAA delete authserv
command:
> netsh ras AAAA delete authserv [name=]
<ServerID>
■
Note
You can configure your RRAS server to use Windows Authentication by deleting all listed
RADIUS servers.
How It Works
As described in this recipe, there are seven authentication protocols that can be used by RRAS.
As the system administrator, you are obligated to determine which protocol is the most appro-
priate for your organization, and whether you should permit multiple authentication types.
When negotiating a connection request from a remote user, the server will attempt the
authentication starting with the most secure protocol and proceeding to the least secure until
both the client and the server agree on the authentication type. Once they have reached this
agreement, the connection request can proceed. On the other hand, if no agreement is reached,
the request will be terminated by the server.
These are the seven authentication methods:
Extensible Authentication Protocol (EAP):
EAP is considered to be the most secure
authentication protocol of the seven that are supported. EAP interacts with a certificate
authority (CA) or a smart-card system to provide mutual authentication. As described in
Microsoft KB 259880, “to use EAP with a VPN, the server must be configured to accept
EAP authentication as a valid authentication method and it must have a user certificate
(X.509). The client must be configured to use EAP, and either have a SmartCard (with a
SmartCard Certificate installed) or a user certificate.”
EAP is preferable to other methods because it cannot be compromised by brute-force or
password dictionary attacks, unlike methods such as MS-CHAP or CHAP.
Microsoft Challenge Handshake Authentication Protocol v2 (MS-CHAP v2):
MS-CHAP
v2 provides mutual authentication between the server and the remote client using a
transmitted and a received session key, both of which are based on the user's password
and an arbitrary string value. The key will be different for every authentication session.
MS-CHAP v2 is supported by Windows versions 2003, 2000, XP, NT 4.0, ME, and 98. It is
supported for Windows 95 when used for VPN connections, but not for dial-in connections.
