Configuring
the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS
Authentication
The
L2TP/IPSec VPN protocol is generally considered to be
the most secure VPN protocol. However, there are times when you may want to
avoid L2TP/IPSec. The most common reason for preferring PPTP over L2TP/IPSec is
when VPN clients need to connect to an ISA Server firewall/VPN server while
behind a NAT device, such as a broadband router or NAT-based firewall (figure
1).
Figure 1
NAT devices
“break” IPSec unless special measures are taken to encapsulate the IPSec
packet. Encapsulating IPSec packets with a UDP or TCP header is
referred to as “IPSec NAT Traversal” or NAT-T. The problem is that NAT-T
isn’t universally implemented. Many vendors use
proprietary NAT-T implementations. Windows Server 2003 and the Microsoft
L2TP/IPSec VPN client support IETF RFC NAT-T guidelines. These NAT-T RFCs are expected to become Internet standards in the near
future.
You may
have heard that PPTP is a high security risk. This misperception is due to
problems related to the initial release of PPTP (PPTP version 1) and MS-CHAP
version 1. The current version of PPTP (version 2) and MS-CHAP version 2 can be made quite secure when password policies force users
to use complex passwords. Both Windows 2000 and Windows Server 2003 support
PPTP version 2.
Note:
While the level of security afforded to PPTP VPN connections can
be significantly increased with the user of complex passwords and
certificate-based PPP user authentication, L2TP/IPSec should be considered the
VPN protocol of choice. Microsoft continues to support PPTP with systems that
do not support L2TP/IPSec, but PPTP VPN links should be limited to those machines
that are incapable of creating an L2TP/IPSec connection.
PPTP security highly dependent on password complexity. In an ideal world all users have
highly complex passwords that they change everyday. However, even when you
force password policies encouraging complex passwords, users find ways around
them.
For
example, the Windows Server 2003 default password policy allows users to use
the following password: P@ssword2000. This password contains a combination of
upper and lower case letters, numbers and symbols. But a relatively simple
brute force or dictionary attack would be able to break this password because the @ sign is a common substitute for the letter “A”.
EAP-TLS
certificate-based authentication allows you to avoid the password complexity issue.
EAP-TLS is an extension to the traditional PPP authentication mechanism and
allows vendors to “plug in” advanced methods of PPP user authentication.
EAP-TLS allows users to log in without requiring user name or password. VPN
users obtain a user certificate and use this certificate to log into the VPN.
The certificate can even be located on a “smart card” or on the user’s
computer.
Note:
Even though EAP-TLS authentication improves the level of security provided by
PPTP by avoiding simple passwords, you can also use EAP-TLS authentication to
provide user authentication for L2TP/IPSec connections.
There are a
number of ways you can make certificate-based user authentication work with
your ISA Server firewall/VPN server. The following scenario provides a very
high level of security for a small or medium sized business:
To complete
the entire procedure, please refer to and implement the procedures in the
following ISA Server 2000 VPN Deployment Kit documents in order:
This ISA Server 2000 VPN Deployment Kit document
describes how to assign a user certificate to a VPN client, and how to
configure the VPN client to use this certificate to authenticate with the ISA
Server firewall/VPN server using certificate EAP-TLS authentication.
The
remainder of this document discusses the following procedures:
Assigning the Windows 2000/Windows
XP VPN Client a User Certificate
There are several
ways you can obtain a user certificate from a Windows Server 2003 enterprise
Certificate Server. The Web enrollment site is the most accessible because
clients do not need to be a member of the domain and do not need any special
protocol access other than HTTP.
In this
example we obtain a user certificate from a Windows 2000 computer running
Internet Explorer 6.0. We assume the VPN client computer is on the internal
network behind the ISA Server. The VPN client does not need to be on the
internal network if the enterprise CA Web enrollment site is
published to the Internet using a Web Publishing Rule. Please refer to ISA Server 2000 VPN Deployment Kit
document Publishing a Windows Server 2003 Certification Authority
Web Enrollment Site and Certificate Revocation List for details
on how to publish a Microsoft Certificate Server to the Internet.
Perform the
following steps on the VPN client to obtain the user certificate:
Figure 2
(Fig138)
Figure 3
(Fig139)
Figure 4
(Fig140)
Figure 5
(Fig141)
Figure 6
(Fig142)
Creating the VPN Connectoid and
Configuring it to Support EAP-TLS Authentication
Perform the
following steps to create the VPN connectoid on the VPN client machine. In this
example we’ll create the VPN connectoid on a Windows 2000 Professional
computer:
1.
Right click on the My Network Places icon on the desktop
and click the Properties command.
2.
Double click on the Make New Connection icon in the Network and Dial-up Connections dialog
box.
3.
Click Next on the Welcome to the Network Connection Wizard page.
4.
On the Network Connection Type page (figure 7), select the Connect to a private network through the
Internet option. Click Next.
Figure 7
(Fig143)
5.
On the Destination Address page (figure 8), type in the IP address or the
FQDN for the VPN server. Click Next.
Figure 8
(Fig144)
6.
On the Connection Availability page (figure 9), select the Only for myself option. This is the most
secure option because the logged on user’s account must be
logged on before this VPN connectoid can be accessed. Click Next.
Figure 9
(Fig145)
7.
Do not enable Internet Connection
Sharing on the Internet Connection
Sharing page (figure 10). One thing you definitely do not want is one of your
users to share the private VPN link with everyone on his home network. Click Next.
Figure 10
(Fig146)
8.
Click Finish on the Completing the
Network Connection Wizard page.
9.
Now we need to bind the user
certificate to the VPN dial up connectoid. The Connect Virtual Private Connection dialog box appears (figure 11).
Click the Properties button.
Figure 11
(Fig147)
10. In the Virtual Private Connection dialog box, click on the Security tab (figure 12). Select the Advanced option and click on the Settings button.
Figure 12
(Fig148)
11. In the Advanced Security Settings dialog box (figure 13), select the Use Extensible Authentication Protocol
(EAP) option. Make sure the Smart
Card or other Certificate (encryption enabled) option is
selected in the drop-down list box. Click the Properties button.
Figure 13
(Fig149)
12. The Smart Card or other Certificate Properties dialog box (figure 14)
has a number of useful options. Since we are using a user certificate instead
of a username and password for authentication, select the Use a certificate on this computer option.
We can improve security by selecting the Validate server certificate option.
When you select that option, the client will check whether the server certificate
has expired (the VPN client presents its certificate to the VPN server and the
VPN server [in this case, the RADIUS server] presents its certificate to the
VPN client).
Place a checkmark in the Connect only if server name ends with checkbox. This will cause the
VPN client to confirm that the correct domain name is included in the VPN
server certificate. If the VPN server certificate does not contain the domain
name you type into this text box, the connection attempt will fail.
Click the down arrow in the Trusted root certificate authority drop down list box and select the CA
that provided the user certificate to the VPN client. This improves security in
that you explicitly specify which CA is trusted as the root CA for this VPN
connection. Click OK in the Smart Card of other Certificate Properties
dialog box.
Figure 14
(Fig150)
13. Click OK in the Advanced Security Settings
dialog box and then click OK in the Virtual Private Connection dialog box.
14. An abbreviated Connect Virtual Private Connection dialog box appears (figure 15).
Note that this connection dialog box doesn’t allow you to enter a username or
password. You don’t need to. The user has already obtained a certificate that
confirms his identity. Even if an intruder were to learn this user’s username
and password, it would not help the intruder because if you force
certificate-based EAP/TLS authentication at the VPN server, the username and
password won’t do the intruder any good.
Figure 15
(Fig151)
15. Click OK and establish the connection. You can see the connection is an PPTP connection in this example. You can use EAP-TLS
authentication with L2TP/IPSec connections. Its
important to note that if you want to use L2TP/IPSec, you must assign a
computer certificate to the VPN client and the ISA Server firewall/VPN server.
Please refer to ISA Server VPN
Deployment Kit documents Obtaining a Machine
Certificate via Web Enrollment from a Windows Server 2003 Enterprise CA
and Obtaining a Machine Certificate via Web Enrollment from a
Windows Server 2003 Standalone CA for information on how to
deploy machine certificates for L2TP/IPSec connections.
Figure 16
(Fig152)