Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication – Part 1

Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication

Part 1

by Thomas W Shinder, M.D.

L2TP/IPSec is considered to be more secure than PPTP. If you ever have the chance to choose between L2TP/IPSec and PPTP, you should use L2TP/IPSec. However, there are times when you may want to avoid using L2TP/IPSec. The most common reason for preferring PPTP over L2TP/IPSec is when VPN clients need to connect to your ISA Server firewall/VPN server while the client is behind a NAT device.

NAT devices “break” IPSec unless special measures are taken to encapsulate the IPSec packet. Encapsulating IPSec packets with a UDP or TCP header is referred to as “IPSec NAT Traversal” or NAT-T. The problem is that NAT-T is implemented in a number of different ways. Many vendors use their own proprietary NAT-T implementations. Windows Server 2003 and the Microsoft L2TP/IPSec VPN client support IETF NAT-T guidelines which are expected to become full RFC Internet standards in the near future.

Many commentators consider PPTP to be an unsecure VPN protocol. This misperception is due to problems related to the initial release of PPTP (PPTP version 1). The problems with the initial release of PPTP was not so much related to the VPN protocol itself as it was the PPP authentication protocol – MS-CHAP version 1. The current version of PPTP has proven itself to be quite secure when complex passwords are used. Both Windows 2000 and Windows Server 2003 support PPTP version 2, which is based on MS-CHAP version 2.

Check out http://www.counterpane.com/pptpv2-paper.html for more information on PPTP and the potential weaknesses inherent in the protocol.

The level of security provided by PPTP is highly dependent on password complexity. In an ideal world all of our users will have highly complex passwords that they change everyday. We don’t live in an ideal world and even when you force password policies that encourage using complex passwords, users find ways around them.

For example, the Windows Server 2003 default password policy allows users to use the password: P@ssword2003. This password contains a combination of upper and lower case letters, numbers and symbols. But a relatively simple brute force or dictionary attack would be able to break this password because the @ sign is a common substitute for the letter “A”.

EAP-TLS allows you to get around the password complexity issue. EAP-TLS is an extension to traditional PPP authentication protocols and allows vendors to “plug in” more advanced methods of PPP authentication. EAP-TLS allows your users to log in without requiring a user name or password. VPN users obtain a user certificate and use this certificate to log into the VPN. The certificate can even be located on a “smart card” or on the user’s computer.

There are a number of ways you can make this work with your ISA firewall/VPN server. The following methods insure the highest level of security for your enterprise firewall:

The following procedures are required in order to make the above scenario work:

Let’s start with installing IIS and an enterprise CA on a Windows Server 2003 domain controller. This domain controller is located on the internal network. If you’ve just starting working with Windows Server 2003, the first thing you’ll really notice is that IIS is not installed by default. I can’t tell you how many times I’ve installed services that depend on IIS but forgot to install IIS first because it was always installed by default in Windows 2000.

We need the Web enrollment site to be installed with the IAS Server, so we must install IIS Web services first:

1. Click Start, point to Control Panel and click on Add or Remove Programs.
   
2. Click the Add/Remove Windows Components button in the Add or Remove Programs window.
   
3. In the Windows Components dialog box, select the Application Server entry and click the Details button.

4. Select the Internet Information Services (IIS) entry and click the Details button.

5. In the Internet Information Services (IIS) dialog box, put a checkmark in the World Wide Web Services checkbox. This automatically places checkmarks in the Internet Information Services Manager and Common Files checkboxes. Click OK in the Internet Information Services (IIS) dialog box. Click OK in the Application Server dialog box. Click Next in the Windows Components dialog box.

6. You may be asked to insert the Windows Server 2003 CD-ROM. You need to point the installation program to the i386 folder. That folder can be located on the original CD-ROM media, on the local hard disk, or on a network share. Point the installer to the correct location and proceed with the install.
   
7. Click Finish on the Completing the Windows Components Wizard page.

The IIS site allows us to run the Certificate Server’s Web enrollment system. Now that the IIS Web service is installed, we can install the enterprise root Certificate Server services:

1. Click Start and point to Add or Remove Programs.
   
2. In the Add or Remove Programs window, click the Add/Remove Windows Components button.
   
3. In the Windows Components window, put a checkmark in the Certificate Services checkbox. A Microsoft Certificate Services dialog box appears informing you that the machine cannot change its name or its domain membership while acting as a Certificate Server. Click Yes to acknowledge this fact. Click Next in the Windows Components dialog box.

4. Select the Enterprise root CA option on the CA Type page. Click Next.

5. Enter a name for this Certificate Authority in the Common name for this CA text box. The common name of the CA is usually the NetBIOS or DNS host name of the machine. In our current example, the machine name is WIN2003DC, so we’ll enter WIN2003DC in the Common name for this CA text box. The Distinguished name suffix is entered automatically and you should not change this unless you have a specific reason for doing so. You should also leave the Validity period at 5 Years unless you have a specific reason for changing it. Click Next to continue.

6. Leave the default settings on the Certificate Database Settings page, unless you have a specific reason to change them. Click Next. Click Yes in the Microsoft Certificate Services dialog box that informs you that it must temporarily stop the Internet Information Services.

7. You may be asked to insert the Windows Server 2003 CD-ROM. You need to point the installation program to the i386 folder. That folder can be located on the original CD-ROM media, on the local hard disk, or on a network share. Point the installer to the correct location and proceed with the install.
   
8. Click Yes in the Microsoft Certificate Services dialog box that informs you that Active Service Pages must be enabled in order for the Web enrollment site to work.

9. Click Finish on the Completing the Windows Components Wizard page.

We can now install the IAS Server. Perform the following steps to install and configure the IAS Server:

1. Click Start, point to Control Panel and click on Add or Remove Programs.
   
2. Click the Add/Remove Windows Components button in the Add or Remove Programs window.
   
3. In the Windows Components dialog box, select the Networking Services entry and click the Details button.

4. In the Networking Services dialog box, put a checkmark in the Internet Authentication Service checkbox and then click OK. Click Next in the Windows Components dialog box.

5. Click the Finish button on the Completing the Windows Components Wizard page.
   
6. Now we’ll make some basic configuration changes to the IAS Server. Click Start, point to Administrative Tools and click on Internet Authentication Services.
   
7. In the Internet Authentication Services console, right click on the Internet Authentication Service (Local) node in the left pane and click the Register Server in Active Directory command. This will allow the IAS Server to authenticate users in the Active Directory domain. Click OK in the Register Internet Authentication Server in Active Directory dialog box. Click OK in the Server registered: dialog box. This dialog box informs you that the IAS Server was registered in a specific domain and that if you want this IAS Server to read users’ dial-in properties from other domains you’ll need to enter this server into the RAS/IAS Server Group in that other domain.

8. Right click on the RADIUS Clients node in the pane of the console and click the New RADIUS Client command.
   
9. In the New RADIUS Client dialog box, type in a simple name to identify the ISA Server firewall/VPN server. You can use any name you like. Note that the RAS server (or in then case, the VPN server, which is a type of RAS server) is a RADIUS client. In this example we’ll use the host name of the server. Type in either the FQDN or the IP address of the ISA Server firewall VPN server in the Client address (IP or DNS) dialog box. Do not enter a FQDN if your ISA Server firewall and VPN server has not registered its internal IP address into the your DNS. You can use the Verify button to test whether the IAS Server can solve the FQDN. Click Next.

10. On the Additional Information page, leave the RADIUS Standard entry in the Client-Vendor drop down list box. Your ISA Server firewall VPN server matches this setting. Type in a complex shared secret in the Shared secret text both and confirm it in the Confirm shared secret text box. The shared secret should be a complex string that consists of upper and lower case letters, numbers and symbols. Think of the shared secret as a password that must be used in order for the IAS Server and the VPN server to communicate securely. Put a checkmark in the Request must contain the Message Authenticator attribute checkbox. This option enhances the security of the messages being passed between the ISA Server firewall/VPN server and the RADIUS server. Click Finish.

Setting up the IAS Server is just the beginning. One of the major advantages of using a Microsoft IAS Server is that it allows you centralize RRAS policy. While we are focusing on a small business scenario here, with just a single RRAS server, you can benefit from using RRAS policies when using just two RRAS servers. You can apply the same policy to all RRAS servers, or to just a subset of RRAS servers. The IAS Server makes it easy.

In this article we went over some of the key differences between PPTP and L2TP/IPSec. While L2TP/IPSec is the preferred VPN protocol, sometimes you can’t use it. You can make PPTP very secure if you use complex passwords or user certificate authentication. We installed the enterprise CA and the RADIUS server. In part two of these article we’ll create Remote Access Policies and issue a user certificate to the VPN client. See you then!