Lesson 1: Understanding the New Authentication Protocols in Windows 2000

Windows NT version 4 included support for several authentication protocols used to verify the credentials of users connecting to the network. These protocols included the following:

Password Authentication Protocol (PAP)

Challenge Handshake Authentication Protocol (CHAP)

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

Shiva Password Authentication Protocol (SPAP)

Point-to-Point Tunneling Protocol (PPTP), which provides tunneling capabilities

Windows 2000 includes support for these and several additional protocols that drastically increase your authentication, encryption, and multilinking options. The new protocols supported by Windows 2000 include Extensible Authentication Protocol (EAP), Remote Authentication Dial-in User Service (RADIUS), Internet Protocol Security (IPSec), Layer-Two Tunneling Protocol (L2TP), and Bandwidth Allocation Protocol (BAP).

After this lesson, you will be able to

Describe the new protocols supported by Windows2000.

Estimated lesson time: 15 minutes

The Extensible Authentication Protocol

The Extensible Authentication Protocol (EAP) is an extension to the Point-to-Point protocol (PPP) that works with dial-up, PPTP, and L2TP clients. EAP
allows for an arbitrary authentication mechanism to validate a dial-in connection. The exact authentication method to be used is negotiated by the dial-in client and the remote access server. EAP supports authentication by using the following:

Generic token cards. A physical card used to provide passwords. Token cards can handle several authentication methods, such as codes that change with each use.

MD5-CHAP. The Message Digest 5 Challenge Handshake Authentication Protocol. This protocol encrypts user names and passwords with an MD5 algorithm.

Transport Level Security (TLS). TLS is used for smart card support or other certificates. Smart cards require a card and reader. The smart card electronically stores the user's certificate and private key.

By using the EAP application programming interfaces, independent software vendors can supply new client and server authentication modules for technologies such as token cards, smart cards, biometric hardware such as retina scanners, or one-time password systems. EAP allows for the support of authentication technologies that are not yet developed. You can add EAP authentication methods on the Security tab of the remote access server's Properties dialog box.

NOTEFor more information on EAP, see RFC 2284.

The Remote Authentication Dial-in User Service

The diversity of hardware and operating systems in today's enterprise networks requires remote user authentication to be vendor-independent and scaleable.
Remote Authentication Dial-in User Service (RADIUS) support in Windows2000 facilitates this kind of user authentication, while providing highly scaleable
authentication designs for performance and fault-tolerant designs for reliability.

RADIUS provides authentication and accounting services for distributed
dial-up networking. Windows 2000 can act as a RADIUS client, a RADIUS server, or both.

A RADIUS client, typically an ISP dial-up server, is a remote access server
receiving authentication requests and forwarding requests to a RADIUS server. As a RADIUS client, Windows 2000 can also forward accounting information to a RADIUS accounting server. You configure RADIUS clients on the Securities tab in the remote access server's Properties dialog box.

A RADIUS server validates the RADIUS client request. Windows 2000 Internet Authentication Services (IAS) performs authentication. As a RADIUS server, IAS stores RADIUS accounting information from RADIUS clients in log files. IAS is one of the optional components that you can add during Windows 2000 installation or at a later time through Add/Remove Programs in Control Panel. You can find IAS in Administrative Tools on the Start menu.

NOTEFor additional information on RADIUS, see RFC 2138/2139.

The Internet Protocol Security

Internet Protocol Security (IPSec) is a set of security protocols and cryptographic protection services for ensuring secure private communications over IP networks. IPSec provides aggressive protection against private network and Internet attacks while retaining ease of use. Clients negotiate a security association (SA) that acts as a private key to encrypt the data flow.

You can use IPSec policies, rather than applications or operations systems, to configure IPSec security services. The policies provide variable levels of protection for most traffic types in most existing networks. Your network security
administrator can configure IPSec policies to meet the security requirements
of a user, group, application, domain, site, or global enterprise.

Windows2000 provides an administrative interface, IP Security Policy Management, to create and manage IPSec policies (centrally at the group policy level
for domain members, or locally on a nondomain computer). IP Security Policy Management is a snap-in that you can add to any custom console created with the MMC. Configuring IPSec policies is beyond the scope of this course.

NOTESecurity mechanisms for IP are defined in RFC 1825.

The Layer Two Tunneling Protocol

The Layer Two Tunneling Protocol (L2TP) is similar to PPTP in that its primary purpose is to create an encrypted tunnel through an untrusted network. L2TP differs from PPTP in that it provides tunneling but not encryption. L2TP provides a secure tunnel by cooperating with other encryption technologies such as IPSec. IPSec doesn't require L2TP, but its encryption functions complement L2TP to create a secure VPN solution.

Both PPTP and L2TP use PPP to provide an initial envelope for the data and then append additional headers for transport through the transit internetwork. Some of the key differences between PPTP and L2TP are as follows:

PPTP requires an IP-based transit internetwork. L2TP requires only that the tunnel media provide packet-oriented, point-to-point connectivity. L2TP can use User Datagram Protocol (UDP), Frame Relay permanent virtual circuits (PVCs), X.25 VCs, or asynchronous transfer mode (ATM) VCs to operate over an IP network.

L2TP supports header compression; PPTP does not. When header compression is enabled, L2TP operates with 4 bytes of overhead, as compared with 6 bytes for PPTP.

L2TP supports tunnel authentication, while PPTP does not. However, when either PPTP or L2TP is used in conjunction with IPSec, IPSec provides tunnel authentication so that layer two tunnel authentication isn't necessary.

PPTP uses PPP encryption. L2TP requires IPSec for encryption.

The Bandwidth Allocation Protocol

In Windows NT 4, Remote Access Service (RAS) supports basic Multilink capabilities. It allows the combining of multiple physical links into one logical link. Typically, two or more Integrated Services Digital Network (ISDN) lines or modem links are bundled together for greater bandwidth.

In Windows 2000, Bandwidth Allocation Protocol (BAP) and Bandwidth Allocation Control Protocol (BACP) enhance multilinked devices by dynamically adding or dropping links on demand. BAP is especially valuable to operations that have carrier charges based on bandwidth use. BAP and BACP are sometimes used interchangeably to refer to bandwidth-on-demand functionality. Both protocols are PPP control protocols and work together to provide bandwidth on demand. BAP provides an efficient mechanism for controlling connection costs while dynamically providing optimum bandwidth.

You can enable multilink and BAP protocols on a serverwide basis from the PPP tab of each remote access server's Properties dialog box. You configure BAP settings through remote access policies. Using these policies, you can specify that an extra line is dropped if link use drops below 75 percent for one group and below 25 percent for another group. Remote access policies are described later in this chapter.

NOTEFor more information on PPP Multilink, see RFC 1990. For more information on BAP/BACP, see RFC 2125.

Lesson Summary

In this lesson, you learned that Windows NT version 4 included support for several authentication protocols used to verify the credentials of users connecting to the network. These protocols included the following: PAP, CHAP, MS-CHAP, SPAP, and PPTP, which provides tunneling capabilities.

You also learned that Windows 2000 includes support for these and several additional protocols that drastically increase your authentication, encryption, and multilinking options. These include EAP, an extension to PPP that works with dial-up, PPTP, and L2TP clients; RADIUS, which allows user authentication to be vendor-independent and provides highly scaleable authentication designs for performance and fault-tolerant designs for reliability; IPSec, a framework of open standards for ensuring secure private communications over IP networks by using cryptographic security services; L2TP, which is similar to PPTP in that its primary purpose is to create an encrypted tunnel through an untrusted network, but different from PPTP in that it provides tunneling but not encryption; and BAP and BACP, which enhance multilinked devices by dynamically adding or dropping links on demand.