MS-CHAPv2 encryption

[Myrt Webb]

I understand that when using MS-CHAP v2 for a RAS
connection the authentication traffic is encypted.

But, after a successful authentication and connection to
a RAS is the subsequent data traffic sent over the RAS
connection also encypted? Or just the authen process?

 

[Steven L Umbach]

You will need to use a VPN tunnel to insure that data is encrypted which can be
either pptp or l2tp. L2tp is more secure but more involved in setting up due to
limitations of it working over NAT and the need for computer certificates on server
and client. Pptp can be secure, just be sure to use a complex password along with
MSCHAPV2 for authentication. --- Steve

 

[FE-FR]

If you have a windows 2003 server, and if you decide to use L2TP, you can do
it even with NAT.

Win 2003 supports NAT-T (transversal).

PPTP is nice, I do agree. Also it is very easy with AD to embark a user
certificate on a smartcard or USB key... this way, you have a
Hardware+pincode authentication rather than a domain\user+password.

Regards

--
FE (MVP ISA)
(e-mail address removed)
You plan to implement Quarantine on ISA 2004 ?
Check this : http://www.esnouf.net/programs/QSS/qssinaction/QssInAction.htm

 

[Eddie Wedensworth]

If you have a windows 2003 server, and if you decide to use L2TP, you can do
it even with NAT.

Win 2003 supports NAT-T (transversal).

PPTP is nice, I do agree. Also it is very easy with AD to embark a user
certificate on a smartcard or USB key... this way, you have a
Hardware+pincode authentication rather than a domain\user+password.

Regards

So, how would one do this with a plain USB key? How do you direct the
OS to pull the certificate from the USB storage device? The stuff is
built in there for an actual smartcard, but otherwise I don't know how
you'd pull it off.

Eddie.