UEU-co logo


Previous Page Next Page

Understanding Authentication Protocols

Windows Server 2008 supplies you with several protocol choices to authenticate remote users dialing into your RAS server. These protocols supply different “strengths” of authentication. You choose the protocol or protocols that you want to use for remote user authentication on the Security tab of your RAS server’s Properties dialog box (which is covered after we sort out the different authentication protocols).

The authentication protocols available (in order of security strength) are the Extensible Authentication Protocol (EAP), Microsoft Encrypted Authentication Version 2 (MS-CHAP v2), Microsoft Encrypted Authentication (MS-CHAP), encrypted authentication (CHAP), Shiva Password Authentication Protocol (SPAP), unencrypted password (PAP), and unauthenticated access (meaning that no protocol is used to control authentication). The sections that follow briefly describe each of these protocols.

By the Way

By default, EAP, MS-CHAP v2, and MS-CHAP are the selected authentication protocols for remote access.

Understanding the Extensible Authentication Protocol

The Extensible Authentication Protocol (EAP) was first introduced with the Windows 2000 Server operating system. EAP is actually an extension of the Point-to-Point Protocol and is designed to provide for the authentication of users through additional security devices. These additional security devices can take the form of a smart card reader attached to the computer that requires the user to place a smart card in the reader for authentication. EAP can also take advantage of authentication strategies such as one-time passwords and the use of certificates for authentication (using certificates is discussed in Hour 22. Because EAP is extensible (after all, it’s part of the name), additional EAP authentication types will be added to the protocol.

Currently, EAP supports three EAP methods:

Understanding the Challenge Handshake Authentication Protocol

The Challenge Handshake Authentication Protocol (CHAP) is a more secure authentication scheme than PAP (which is discussed in a moment) because the username and password are not disclosed over the link as clear text. CHAP uses a three-way handshake scheme for authentication when the remote host requests a connection. The receiving server sends a challenge message that contains a random number and asks the dialing device to send its username and password. The host responds with an encrypted value that is unencrypted by the receiving device yielding the username and password. There are two Microsoft-proprietary versions of CHAP:

Understanding the Shiva Password Authentication Protocol

The Shiva Password Authentication Protocol (SPAP) is the authentication scheme for the Shiva-proprietary connectivity software that supplies client and server operability. If you are using a Shiva client to connect to a Windows RAS server, the server can use SPAP to validate the user’s connection. Be advised that data encryption cannot be used with SPAP. SPAP also provides Windows clients with the capability to connect to Shiva servers.

Understanding the Password Authentication Protocol

The Password Authentication Protocol (PAP) uses a username and password in clear-text format. When the remote host creates the connection to the server, it sends a username and password; these are authenticated by the RAS server. If the username and password are not accepted, the connection is terminated. This type of password protection is referred to as a two-way handshake. The problem with PAP is that the clear-text username and password are susceptible to snooping, so the username and password could actually be captured with some sort of protocol analyzer.

Understanding Unauthenticated Access

The final alternative offered for authenticating users to the RAS server is to have no authentication. When you enable unauthenticated access, you are no longer requiring the remote host’s username and password. You are also not requiring the host machine to be configured with the same authentication protocol that is configured on the RAS server.

Although unauthenticated access might be useful when end users have inappropriately configured remote hosts and you still want them to log on to the network, you are making it very easy for anyone with the phone number of the RAS server to attach to your network. Microsoft recommends “strong” authentication for securing your RAS environment. This means using authentication protocols such as EAP and the two flavors of CHAP.

Previous Page Next Page

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.


apply_now Pepperstone Group Limited