Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN, Radius and server certificates
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN, Radius and server certificates - 27.Mar.2008 6:40:26 PM
|
|
|
miguel_gonz
Posts: 6
Joined: 25.Mar.2008
Status: offline
|
Hi,
I have an ISA 2004 server with local users and We want to migrate it to use domain users through RADIUS.
I've configured our SBS 2003 domain controller as our Radius server.
When I have configured the properties in the RADIUS server there is the option of enabling PEAP and using a certificate.
However, If I use that certificate, It doesn't work. If I don't enable this, it works exactly the same way It works now, just user and password (but the credentials of the domain user instead).
What I gain for using the certificate? There is no encription if I don't enable it? Can I just use the certificate but no need of a client certificate?
Thanks,
Miguel
|
|
|
|
|
RE: VPN, Radius and server certificates - 31.Mar.2008 10:05:42 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Miguel,
It would be useful if you could tell us what exactly are you trying to do:
- are you using PPTP or L2TP/IPsec
- why you did not make ISA a domain member
- are you trying to use certificates authentication for user authentication.
If so you should use EAP-TLS. I do not think PEAP/EAP-MSCHAPv2 works with ISA(I do not remember seeing an article on Microsoft's site about that). Assuming that maybe it will work, you would need all of your VPN clients to be Vista or XP SP3 based in order to use PEAP/EAP-MSCHAPv2.
Regards,
J
|
|
|
|
|
RE: VPN, Radius and server certificates - 31.Mar.2008 12:05:22 PM
|
|
|
miguel_gonz
Posts: 6
Joined: 25.Mar.2008
Status: offline
|
Thanks for replying and sorry for the lack of details.
I'm inheriting a previous configured infrastructure so I'm trying to stabilize what We currently have before We migrate ISA 2004 to 2006.
About the configuration:
- the VPN is configured to use PPTP and L2TP/IPsec. The clients are configured to use "automatic".
- My boss configured ISA server as not part of the domain. I don't know the reasoning behind that, the ISA server is running the VPN and the firewall of our corporate network. Also We have split DNS, the DNS server is residing in an AD server.
- Right now We use the default configuration of the Windows VPN client and We don't use client certificates. That would require to have an internal CA tool for creating and revoking certificates, so We don't want this (at least at this point).
Our current VPN configuration uses MSCHAPv2. However I'm referring about the configuration in the RADIUS server and the use of EAP methods in the IAS. Right now there is no EAP method for authentication. Since PEAP apparently only works with Vista and We also use Macs for VPNing and We don't want to use client certificates (EAP-TLS), is our setup enough secure or We should look at something else?
Many thanks
Miguel
|
|
|
|
|
RE: VPN, Radius and server certificates - 31.Mar.2008 4:05:47 PM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Miguel,
If you are loking for security, L2TP/IPsec is the way to go.
However if you are using pre-shared keys, you are not going to get that security.
You say that you have enabled both PPTP and L2TP/IPsec on ISA.
PPTP with ms-chapv2 relies heavily on user passwords. If they are weak then PPTP is hackable.
As oposed to PPTP which provides only user authentication, L2TP/IPsec requires two level of authentication: machine (through IKE) and user (PPP auth).
So if want security deploy L2TP/IPsec with certificates for machine authentication and ms-chapv2 for user authentication.
If you want even more security deploy L2TP/IPsec with certificates for machine authentication(IKE, stored in the Certificates (Local Computer Store)) and for user authentication(user certificates stored on proper smartcards or a kind of compromise: in the User Store).
PPTP cannot be trully called a VPN in our days. A VPN should provide secrecy, authentication, data integrity, replay-attack protection....
You should make ISA a domain member unless there is a specific reason for not making it a domain member.
Check this:
http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html
If you make ISA a domain member you do not need anymore that RADIUS server for authentication. And you should get an extra grip regarding your firewall rules(you can easily create access rules based on domain users and groups, thus granular control).
Regards,
J
|
|
|
|
|
RE: VPN, Radius and server certificates - 31.Mar.2008 5:03:34 PM
|
|
|
miguel_gonz
Posts: 6
Joined: 25.Mar.2008
Status: offline
|
Hi,
Many thanks for the clarifications, now I get a better insight of the different configurations.
I think that I found out why it was configured using PPTP and L2TP at the same time. We have Mac users VPNing and they are forced to use PPTP. Does this means that Mac users are using PPTP and Windows users L2TP?
This lady says that It could be possible to use EAP methods:
http://www.windowsecurity.com/articles/VPN-Options.html
and assures that PPTP has been improved lately (although this articled is dated 2004).
It would be possible to configure EAP and use the server certificate without client certificates?
I've seen that is possible to enable automatic certificate allocation:
http://technet2.microsoft.com/windowsserver/en/library/9fc9ac6f-78c0-4f50-9c15-4beecf5129161033.mspx?mfr=true
However, How can I configure our Mac users and try not to make very complicated our VPN configuration? Would it require to join all the offsite machines to the domain ?
Thanks for all your help!
Miguel
|
|
|
|
|
RE: VPN, Radius and server certificates - 1.Apr.2008 5:27:22 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Miguel,
First thing you should do would be to know for sure who is using what(if you let the Win XP VPN client set to automatically you will use PPTP).
I think that Mac has good support for L2TP/IPsec(I have not used any Mac with VPN so I do not know for sure).
Regarding the use of PPTP with PEAP/EAP-MS-CHAPv2, I've actually made today some tests with my ISA 2006, domain member, and I see that it works with both PPTP and L2TP/IPsec as long as user mapping is *disabled* on ISA.
For enabling PEAP/EAP-MS-CHAPv2 on ISA( EAP was already enbaled on ISA's GUI), I've just use RRAS to add PEAP to the EAP methods(I've edited ISA Server default policy).
My VPN client was XP SP3(RC).
Keep in mind that PPTP only provides per-packet confidentiality(this is stated on Microsoft's site too).
And this confidentiality is questionable because it depends on the strength of the passwords.
The "improved" version of PPTP uses MS-CHAPv2.
There is a tool that demonstrates how "strong" is MS-CHAPv2 :
http://www.willhackforsushi.com/Asleap.html
George Ou has written about PPTP and its "strength":
http://blogs.zdnet.com/Ou/index.php?p=21
And note that the attack is not an active one, the attacker just sits and captures packets.
Actually if VPN clients are not properly configured(meaning to use just MSCHAPv2) version rollback is possible with an active MITM(force them to use ms-chap).
The use of EAP-TLS with PPTP defeats the logic of a normal man because what would be the point of spending time installing and configuring a CA, issue certificates and so on and then use all these with the weak PPTP ?
PPTP would be used because it does not require any certificates, just a user name and password.
Assuming that strong passwords are used, the level of confidentiality afforded is unknown(just define what a strong password is).
A strong password based authentication method should not be vulnerable to dictionary attacks, and MSCHAPv2 is vulnerable, thus is a weak authentication method.
With PEAP/EAP-MS-CHAPv2, the credentials are protected inside the SSL tunnel, and the server is authenticated first, no user credentials are sent before the server's certificate is verified. You just need a certificate on the server.
Personnaly, I cannot be convinced to use PPTP even with EAP-TLS. For me PPTP is history and I'm using it only for academic purposes(huh! ). RC4 encryption at its best in year 2008, it must be a joke .
Yep, if you have an Enterprise CA you can automatically issue a computer certificate for domain machine(for IKE authentication)
This "computer certificate" for IKE authentication(machine) can actually be a user certificate stored on Local Computer Store instead of the User Store.
So for non-domain machine you can use the web enrollment to provide them a "machine" certificate(do not make it exportable).
However, you *must* carefully issue certificates otherwise they're going to loose their value.
Regarding MACs, I suppose the "most advanced OS in the world"(or how do they call it ) should have a GUI for importing a certificate.
If you want a separation, say what group is using PPTP and what group is using L2TP/IPsec, you need to use the IAS and create the appropiate remote access policies because you cannot use ISA GUI for that.
Regards,
J
< Message edited by justmee -- 1.Apr.2008 5:29:54 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
