Information Technology Reference
In-Depth Information
If your server does not integrate with certificate services, and your clients are all Windows-
based with a version of Win9x or later, you will want to use MS-CHAP v2 as your authen-
tication protocol.
￿
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP): MS-CHAP is the
predecessor to MS-CHAP v2. Unlike, MS-CHAP v2, MS-CHAP provides only one-way
authentication; it is not mutual. A single session key is created that is based only on the
user's password and is the same for every session by that user. Unless you have pre-Win9x
clients on your network, there should not be much call for this protocol.
￿
Challenge Handshake Authentication Protocol (CHAP): CHAP is less secure than
MS-CHAP or MS-CHAP v2. Unlike the other protocols, however, CHAP is frequently
accessible to non-Windows clients and is therefore supported by Windows 2003 Server
to maintain a broader level of client support. During the CHAP authentication process,
the password is not actually sent from the client to the server; rather a representation
of the password is generated and used.
￿
Shiva Password Authentication Protocol (SPAP): SPAP is an authentication protocol
supported by Shiva remote access servers that provides a simple level of encryption for
passwords.
￿
Unencrypted Password (PAP): PAP, the simplest of the authentication protocols, and
formally known as Password Authentication Protocol, transmits passwords in clear text,
making them visible to monitoring and hacking utilities. This method of authentication
is not recommended unless absolutely required by the server.
￿
Unauthenticated access: Unauthenticated access permits “guest” level access to the
remote server. Any user can connect without providing any credentials.
In addition to selecting an authentication protocol, you must also select whether you want
to use Windows or RADIUS authentication. If you use Windows authentication, all requests are
authenticated against the local accounts database, Active Directory, or even an NT 4 domain
database.
You should consider using RADIUS instead of Windows authentication if you have more
than one RRAS server. RADIUS provides centralized authentication and auditing of remote
access connections. Management of remote access policies is also simplified with RADIUS
servers; in fact, once you configure your RRAS server to authenticate against a RADIUS server,
you will no longer be able to configure policies on the remote access server itself.
See Also
MSDN: “Certificate Services” ( http://msdn.microsoft.com/library/default.asp?url=
/library/en-us/seccrypto/security/certificate_services.asp ). This article provides
details on Microsoft Certificate Services necessary to implement the Extensible Authen-
tication Protocol (EAP).
￿
￿
Microsoft TechNet: “Authentication Protocols and Methods”
( http://technet2.microsoft.com/WindowsServer/f/?en/Library/
4e9baec7-dafc-4f9f-8fb4-660284a645391033.mspx ). This article describes
each of the authentication protocols that we have discussed in this recipe.
Search WWH ::




Custom Search