As Figure 1 shows, here is how RADIUS authentication works:
1. A remote access client dials in to a RAS server.
2. The RAS server passes the request to the RADIUS server.
3. The RADIUS server verifies the user's logon ID and passes the request to
the NT authentication server.
4. The NT authentication server responds to the RADIUS server.
5. The RADIUS server forwards that response and the user's profile (which
is in the RADIUS server's database) to the RAS server.
6. The RAS server grants or denies the user access to the network based on
the user's profile.
When you install RRAS, you can select either NT or RADIUS as the
authentication provider. If you check the RADIUS box, your NT system acts as a
RADIUS client and connects to a RADIUS server.
Win95 Client Options for Data Encryption
Win95 clients, by default, do not require encrypted authentication. You can
enable encryption by going to Connection Properties and selecting the Server
Types tab. If you check the Allow any authentication including clear text
box on the NT RAS server and leave the Require encrypted password box
unchecked on the Win95 client, the client will use DES encryption because both
the client and server are using RAS. If you dial in to another server (such as
an ISP), the Win95 client can use clear text (PAP) authentication.
Win95 supports PAP and MS-CHAP but not CHAP. If you are using devices that
do not support MS-CHAP (e.g., 3COM's ISDN modems), you must leave the Require
encrypted password box unchecked for Win95 clients, as shown in Screen 2.
You must also leave the Require Microsoft encrypted authentication box
unchecked for the NT client. If the PPP server you are dialing in to supports
CHAP, you need to select Require encrypted authentication for the NT
client. If the server does not support encryption, you need to select Allow
any authentication including clear text.
Security Hosts
A security host is a third-party authentication device that verifies whether
a remote access client has authorization to connect to the RAS server. Various
types of security hosts are available. One type of security host requires that
the user enter the security host's account name and password before gaining
access to the RAS server. The security host checks the account name and the
password against its database. If the user is authenticated, he or she can then
connect to the RAS server for further authentication and access to the network
resources. The security host's account name and password do not have to match
the RAS server's username and password.
Another type of security host consists of two hardware devices: a security
host and a security card. The security host, which sits between the RAS server
and its modem, calculates a different access number every minute. The host
synchronizes the access number with the number displayed on the security card.
The card, which looks like a pocket calculator, remains with the user. When user
calls in, he or she enters the number displayed on the security card. If the
number matches, the security host lets the user connect to the RAS server. (For
an example of this type of security host, see Ben Rothke, "Token-Based
Security Add-Ons," June 1997.)
Security host verification does not bypass, but rather augments, NT RAS
security. The security host usually sits between the client and the RAS server.
It uses a hardware key for authentication. When clients dial in, the security
host must authenticate them before they can reach the RAS server. After the
security host authenticates clients, the RAS server must also authenticate them.
PPTP and PPP
PPTP creates a secure tunnel between a RAS client and the RAS server. PPTP
uses PPP--a popular industry protocol for dial-up access services that includes
authentication and encryption standards--to provide compressed and encrypted
communication.
PPTP lets clients use the Internet to access a private network. The re-mote
access client uses a modem or ISDN line to connect to the local ISP. The remote
access client then makes a second RAS connection (this time using PPTP over
TCP/IP) to establish a secure connection to the PPTP RAS server. This
arrangement is a Virtual Private Network (VPN). (For more information about
PPTP, see Douglas Toombs, "Point-to-Point Tunneling Protocol," June
1997.)
An option on the RAS server enables PPTP packet filtering. This option
enhances security because it accepts and routes packets from authenticated users
only. As Screen 3 shows, the Enable PPTP Filtering option is on the RAS server
in the Advanced IP Addressing screen. When you select this option, the server
disables all protocols except PPTP on the network adapter.
With PPTP packet filtering and PPP's encryption standards, only secure,
authorized, encrypted data can enter or leave your VPN. If hackers manage to
capture your IP datagrams when they're traveling over the Internet, the hackers
will not find much useful information to decipher. They might capture
information such as IP headers, media headers, and PPP packets of encrypted
data, but this information will not jeopardize network security.
In addition to using PPTP filtering, you can take advantage of the Enable
Security option. This option lets you control the type of TCP/IP network traffic
that reaches your NT server. You can select which TCP ports, User Datagram
Protocol (UDP) ports, and IP protocols you allow to access your NT server.
PPTP uses TCP port 1723, and the IP protocol uses ID 47. You can use PPTP with most firewalls and routers. You route traffic destined to port 1723 through the firewall or router. PPTP supports TCP/IP, IPX, and NetBEUI protocols. (Although you can encapsulate all three, you can use only IP as the transport.)
It's Safe
RAS in NT offers a high level of security. RAS can ease any fears that you
might have about remotely accessing a private network, even if you use the
Internet to make that connection. When you use RAS security features and
third-party offerings, remote access is a secure and reliable method to
telecommute.
Register
