RAS and Radius

  • Thread starter Thread starter Jack
  • Start date Start date
J

Jack

I have several users dialing into ras (2003 Server) using what I think is
the default encryption scheme Ms-chap Ms-chapv2 and PAP. These are all
selected. I would like to know if this is secure enough and if the data from
the users home to the server is encrypted and If it is what is doing the
encryption? Is this data encrypted over the phone line? Is it MSchap? If I
set the RAS server up as a Radius server itself would this make for better
authentication? I have read all the documentation on RAS from Microsoft but
am still confused.

Thanks Rob
 
Hi,

I advise you to use MSCHAP-V2 ... the others are only here for compatibility
porpose with older system.

In fact the data transfered through the wire is encrypted by the VPN
technology you are using (PPTP, IPSEC, ...). PPTP is very simple to
implement and before the arrival of NAT-T (arrived with windows 2003), PPTP
was very popular because it could be used with 'nated' networks.

For me there are 3 things to think about :
* The encryption : all the protocols are pretty safe
* Authentication : login+password is nice but make sure that you use a
complex one (and that your AD policy will lock a user after X bal login
attempt). You can also think about implementing strong authentication
(smartcard, USB keys, ...)
* remote user security : as soon as you are connected, everything is
encrypted within the tunnel. But imagine that your remote user is infected
by a virus, or if he does not have a security patch... VPN can be the source
of major attack. ISA server will introduce something called Quarantine to
cope with this problem.

I hope this helps.

REgards

fE
 
First , Thanks for the info. I appreciate the response. Do you think setting
up a RADIUS server is not worth the trouble? Again these are just dial in
users (We have a different app for VPN users) but would like to use dial up
for certain situations. When I check event viewer it states that the data
sent and received is strongly encrypted. This is when I ras in with a 2000
machine. When I ras in with a win98 machine it gives basically the same
message but that the data is only encrypted. I'm assuming the 2000 machines
are just using a more secure protocol. Also passwords are complex and
lockout policy is three times .And one last question if you can help. This
is a Win NT domain right now but we are going to AD The Ras server is
2003. would I be able to use EAP-TLS? or is this just for smart cards?

Thanks again for your help.

Jack
 
Back
Top