BACK
See also the RADIUS page
- relevant to Remote Access (RA), 802.11x, and more
Remote Access; NAT-T
Remote Access:
The Routing and Remote Access Service, RRAS, is the primary
point of focus for all Remote Access functionality and configuration tasks within
Windows Server.
Take care to note the various protocols and where they
are used. Note especially the authentication ones. Also the CONDITIONS, PERMISSIONS,
PROFILES section is key.
RRAS
- Provides --> Dial-up Server service
- Provides --> VPN Server service
- Provides --> Windows software routing functionality
- Always installed
- Not active / enabled / by default
- Highly recommended to disable RRAS functionality and re-run the RRAS
configuration wizard to change the services provided by RRAS
LAN protocols supported by RRAS
- TCP/IP
- IPX/SPX (older Novel NetWare protocol)
- AppleTalk (for VPN only) (Older Apple pre OS9 protocol)
- (
MSRAS for NetBEUI is no longer available for RRAS under 2003)
Remote Access protocols supported by RRAS
- PPP - Point to Point Protocol -
- SLIP - Serial Line Internet Protocol (NOTE: Client use
only - 2003 can not be a SLIP server, 2003 and XP etc can be SLIP clients)
VPN (Virtual Private Network) protocols supported by RRAS
- L2TP - Layer Two Tunneling Protocol
- Supported >= W2K
- Works okay over NAT with NAT-T enabled host on both ends
- Note: NAT-T is supported by 2003+ and XP SP1+
- L2TP does the tunneling part of the VPN, the encryption part of the
VPN with L2TP is more modal as IPSec with ESP is used
- PPTP - Point to Point Tunneling Protocol
- Wide support, >= W95
- Works okay over NAT
- Uses MPPE (Microsoft Point to Point Encryption) encryption
only, no modularity
To prevent the use of IPX/SPX for remote access and demand-dial routing connections,
you should use the Properties dialog box of the server. On the IPX tab, you
should clear the check box for the option "Allow IPX-based remote access
and demand-dial connections."
New RRAS feature in 2003: Enable broadcast
name resolution. Basically a NetBIOS broadcast proxy over VPN "router"
interface. Improves user experience insofar as allowing WINS, the Windows Network
Neighborhood, named mapped drives, more applications, more logon scripts, etc.,
to actually work.
The DHCP INFORM protocol
- Reference also / first the DHCP section of this site,
DHCPINFORM is an extension on this
- Supported by W2K+
- After a RA session is established, client sends a DHCPINFORM to the RRAS
server. DHCP Relay agent on RRAS server proxies DHCPINFORM to DHCP server,
which then sends back DHCP options to the RA clients via the RRAS DHCP Relay
agent. These DHCP options sent in reply to the DHCPINFORM
DHCP request override automatically assigned DHCP client settings soured from
the RRAS internal NIC's TCP/IP settings.
- This allows a cleaner RA configuration with appropriate settings for WINS
server, DNS server, DNS suffix, etc.
Authentication protocols:
- PEAP - Protected Extensible Authentication Protocol -
- One of the EAP authentication options/methods types used with EAP
- EAP - Extensible Authentication Protocol -
- Authentication system not authentication method
- Allows multiple authentication methods to be used
- Authentication method can be negotiated between client and server
- Authentication options/methods (EAP types) include:
- MD-5 Challenge
- PEAP
- Smart Card or other certificate (in W2K this was called EAP-TLS
(Transport Layer Security))
- MS CHAP v2 - Microsoft Challenge Handshake Authentication Protocol
version 2 -
- Legacy LAN Manager clients NOT supported
- Computers are authenticated too, in addition to user (like IPSec's mutual
authentication)
- Encryption key vary with each connection
- MS CHAP - Microsoft Challenge Handshake Authentication Protocol
-
- Stores passwords in AD using nonreversible encryption
- Weakness: password length max'ed at 14 chars
- Weakness: re-uses same encryption key for each connection
- CHAP - Challenge Handshake Authentication Protocol -
- DISABLED BY DEFAULT
- Uses MD5 hash
- Stores passwords in AD using reversible encryption which is a major
weakness
- NOT encrypted via MPPE when PPTP VPN'ed
- SPAP - Shiva Password Authentication Protocol -
- DISABLED BY DEFAULT
- Uses reversable encryption
- Vulnerable to packet capture and decryption and also replay attacks
- NOT encrypted via MPPE when PPTP VPN'ed
- PAP - Password Authentication Protocol -
- DISABLED BY DEFAULT
- Username and password in clear text over network
- NOT encrypted via MPPE when PPTP VPN'ed
- No Authentication -
- All users are permitted - sort of like allow anonymous
How does the RRAS server allow or deny access to the RA client?
- If the RRAS server is a stand alone server (i.e.:, not
a AD member) users are authenticated against the server's SAM
- If the RRAS server is an AD member, and its domain
is in mixed mode, the allow or deny is determined
by the respective AD user object
- If the RRAS server is an AD member, and its domain
is in a native mode, the allow or deny is determined
by Remote Access Policy, and the the respective AD user
object only used as a fall-back method
Remote Access Policy
- Generally each RRAS server has it's own Remote Access Policy - this is actually
useful: (A) user vs exec RA servers, (B) quick mail check
vs telecommuter RA servers, (C) you don't have to give all your users
all the RA server FQDNs
- There is an implicit Deny all policy at the end of the policy list - no
policy match means an automatic denial.
- Remote Access Policy components
- CONDITIONS
- Criteria, all of which must be met to connect
-
| Condition |
Description |
| Authentication type |
Client authentication protocol used: CHAP / MS-CHAP / MS-CHAPv2 |
| Called station ID |
Phone number called to |
| Calling station ID |
Phone number called from |
| Day and time restrictions |
Specific day/time ranges RA is allowed (based on RRAS or RADIUS
local time) |
| NAS port type |
Media used: POTS, ISDN, VPN, 802.11, ethernet |
| Tunnel type |
VPN protocol used: L2TP or PPTP |
| Windows group |
AD group membership |
- PERMISSIONS
- PROFILES
- Per user?
- Drop connection if not possible
- Can override with RADIUS
- Remote Access Policy evaluation
- Remote Access Policies
- Elements of a remote access policy - http://technet2.microsoft.com/WindowsServer/en/Library/9a459901-d03c-4c87-9102-40de6b5dcf541033.mspx
Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients
- Including Support for EAP/TLS Authentication
http://www.isaserver.org/img/upl/vpnkitbeta2/rraspolicyeaptlsradius.htm
NAT-T:
http://support.microsoft.com/kb/818043
(client side) L2TP/IPsec NAT-T update for Windows XP and Windows
2000
Has some stuff on NAT-T and IPSec and RRAS 2000 vs 2003
BACK