Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication
The L2TP/IPSec VPN protocol is generally considered to be the most secure VPN protocol. However, there are times when you may want to avoid L2TP/IPSec. The most common reason for preferring PPTP over L2TP/IPSec is when VPN clients need to connect to an ISA Server firewall/VPN server while behind a NAT device, such as a broadband router or NAT-based firewall (figure 1).
NAT devices “break” IPSec unless special measures are taken to encapsulate the IPSec packet. Encapsulating IPSec packets with a UDP or TCP header is referred to as “IPSec NAT Traversal” or NAT-T. The problem is that NAT-T isn’t universally implemented. Many vendors use proprietary NAT-T implementations. Windows Server 2003 and the Microsoft L2TP/IPSec VPN client support IETF RFC NAT-T guidelines. These NAT-T RFCs are expected to become Internet standards in the near future.
You may have heard that PPTP is a high security risk. This misperception is due to problems related to the initial release of PPTP (PPTP version 1) and MS-CHAP version 1. The current version of PPTP (version 2) and MS-CHAP version 2 can be made quite secure when password policies force users to use complex passwords. Both Windows 2000 and Windows Server 2003 support PPTP version 2.
While the level of security afforded to PPTP VPN connections can be significantly increased with the user of complex passwords and certificate-based PPP user authentication, L2TP/IPSec should be considered the VPN protocol of choice. Microsoft continues to support PPTP with systems that do not support L2TP/IPSec, but PPTP VPN links should be limited to those machines that are incapable of creating an L2TP/IPSec connection.
PPTP security highly dependent on password complexity. In an ideal world all users have highly complex passwords that they change everyday. However, even when you force password policies encouraging complex passwords, users find ways around them.
For example, the Windows Server 2003 default password policy allows users to use the following password: P@ssword2000. This password contains a combination of upper and lower case letters, numbers and symbols. But a relatively simple brute force or dictionary attack would be able to break this password because the @ sign is a common substitute for the letter “A”.
EAP-TLS certificate-based authentication allows you to avoid the password complexity issue. EAP-TLS is an extension to the traditional PPP authentication mechanism and allows vendors to “plug in” advanced methods of PPP user authentication. EAP-TLS allows users to log in without requiring user name or password. VPN users obtain a user certificate and use this certificate to log into the VPN. The certificate can even be located on a “smart card” or on the user’s computer.
Even though EAP-TLS authentication improves the level of security provided by PPTP by avoiding simple passwords, you can also use EAP-TLS authentication to provide user authentication for L2TP/IPSec connections.
There are a number of ways you can make certificate-based user authentication work with your ISA Server firewall/VPN server. The following scenario provides a very high level of security for a small or medium sized business:
To complete the entire procedure, please refer to and implement the procedures in the following ISA Server 2000 VPN Deployment Kit documents in order:
This ISA Server 2000 VPN Deployment Kit document describes how to assign a user certificate to a VPN client, and how to configure the VPN client to use this certificate to authenticate with the ISA Server firewall/VPN server using certificate EAP-TLS authentication.
The remainder of this document discusses the following procedures:
Assigning the Windows 2000/Windows XP VPN Client a User Certificate
There are several ways you can obtain a user certificate from a Windows Server 2003 enterprise Certificate Server. The Web enrollment site is the most accessible because clients do not need to be a member of the domain and do not need any special protocol access other than HTTP.
In this example we obtain a user certificate from a Windows 2000 computer running Internet Explorer 6.0. We assume the VPN client computer is on the internal network behind the ISA Server. The VPN client does not need to be on the internal network if the enterprise CA Web enrollment site is published to the Internet using a Web Publishing Rule. Please refer to ISA Server 2000 VPN Deployment Kit document Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List for details on how to publish a Microsoft Certificate Server to the Internet.
Perform the following steps on the VPN client to obtain the user certificate:
Figure 2 (Fig138)
Figure 3 (Fig139)
Figure 4 (Fig140)
Figure 5 (Fig141)
Figure 6 (Fig142)
Creating the VPN Connectoid and Configuring it to Support EAP-TLS Authentication
Perform the following steps to create the VPN connectoid on the VPN client machine. In this example we’ll create the VPN connectoid on a Windows 2000 Professional computer:
1. Right click on the My Network Places icon on the desktop and click the Properties command.
2. Double click on the Make New Connection icon in the Network and Dial-up Connections dialog box.
3. Click Next on the Welcome to the Network Connection Wizard page.
4. On the Network Connection Type page (figure 7), select the Connect to a private network through the Internet option. Click Next.
Figure 7 (Fig143)
5. On the Destination Address page (figure 8), type in the IP address or the FQDN for the VPN server. Click Next.
Figure 8 (Fig144)
6. On the Connection Availability page (figure 9), select the Only for myself option. This is the most secure option because the logged on user’s account must be logged on before this VPN connectoid can be accessed. Click Next.
Figure 9 (Fig145)
7. Do not enable Internet Connection Sharing on the Internet Connection Sharing page (figure 10). One thing you definitely do not want is one of your users to share the private VPN link with everyone on his home network. Click Next.
Figure 10 (Fig146)
8. Click Finish on the Completing the Network Connection Wizard page.
9. Now we need to bind the user certificate to the VPN dial up connectoid. The Connect Virtual Private Connection dialog box appears (figure 11). Click the Properties button.
Figure 11 (Fig147)
10. In the Virtual Private Connection dialog box, click on the Security tab (figure 12). Select the Advanced option and click on the Settings button.
Figure 12 (Fig148)
11. In the Advanced Security Settings dialog box (figure 13), select the Use Extensible Authentication Protocol (EAP) option. Make sure the Smart Card or other Certificate (encryption enabled) option is selected in the drop-down list box. Click the Properties button.
Figure 13 (Fig149)
12. The Smart Card or other Certificate Properties dialog box (figure 14) has a number of useful options. Since we are using a user certificate instead of a username and password for authentication, select the Use a certificate on this computer option.
We can improve security by selecting the Validate server certificate option. When you select that option, the client will check whether the server certificate has expired (the VPN client presents its certificate to the VPN server and the VPN server [in this case, the RADIUS server] presents its certificate to the VPN client).
Place a checkmark in the Connect only if server name ends with checkbox. This will cause the VPN client to confirm that the correct domain name is included in the VPN server certificate. If the VPN server certificate does not contain the domain name you type into this text box, the connection attempt will fail.
Click the down arrow in the Trusted root certificate authority drop down list box and select the CA that provided the user certificate to the VPN client. This improves security in that you explicitly specify which CA is trusted as the root CA for this VPN connection. Click OK in the Smart Card of other Certificate Properties dialog box.
Figure 14 (Fig150)
13. Click OK in the Advanced Security Settings dialog box and then click OK in the Virtual Private Connection dialog box.
14. An abbreviated Connect Virtual Private Connection dialog box appears (figure 15). Note that this connection dialog box doesn’t allow you to enter a username or password. You don’t need to. The user has already obtained a certificate that confirms his identity. Even if an intruder were to learn this user’s username and password, it would not help the intruder because if you force certificate-based EAP/TLS authentication at the VPN server, the username and password won’t do the intruder any good.
Figure 15 (Fig151)
15. Click OK and establish the connection. You can see the connection is an PPTP connection in this example. You can use EAP-TLS authentication with L2TP/IPSec connections. Its important to note that if you want to use L2TP/IPSec, you must assign a computer certificate to the VPN client and the ISA Server firewall/VPN server. Please refer to ISA Server VPN Deployment Kit documents Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Enterprise CA and Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA for information on how to deploy machine certificates for L2TP/IPSec connections.
Figure 16 (Fig152)