Virtual Private Networks(Tunnels)

When Are VPN Tunnels Used?

VPN with PPTP tunnel

Used if:Used if:

All routers support VPN tunnels

You are using MS-CHAP or EAP-TLS

Router authentication uses user-based certificates

All routers support VPN tunnels

You are using MS-CHAP or EAP-TLS

Router authentication uses user-based certificates

VPN with L2TP tunnel

Used if:Used if:

All routers support VPN tunnels

Router authentication uses computer-based certificates or user-based certificates

All routers support VPN tunnels

Router authentication uses computer-based certificates or user-based certificates

Components of Remote Connectivity

Network Access Server (VPN or Dial-Up)

IAS (RADIUS)Server

DHCP Server

DomainController

Network access serviceNetwork access clientsAuthentication serviceActive Directory (not required)

Network access serviceNetwork access clientsAuthentication serviceActive Directory (not required)

Dial-up ClientWireless Access Point

Wireless Client

VPN Client

Configuration Requirements for a Network Access Server

To configure the network access server, you will need to know:To configure the network access server, you will need to know:

Whether the server will also act as a routerAuthentication methods and providers Client access IP address assignmentPPP configuration optionsEvent logging preferences

Whether the server will also act as a routerAuthentication methods and providers Client access IP address assignmentPPP configuration optionsEvent logging preferences

A network access server is a server that acts as a gateway to a network for a clientA network access server is a server that acts as a gateway to a network for a client

What Is a Network Access Client?

Type of Client Description

VPN Client

Connects to a network across a shared or public networkEmulates a point-to-point link on a private network

Dial-up Client

Connects to a network by using a communications network Creates a physical connection to a port on a remote access server on a private network Uses a modem or ISDN adapter to dial in to the remote access server

WirelessClient

Connects to a network by infrared light and radio frequency technologies Includes many different types of devices

What Are Network Access Authentication and Authorization?

Network Access Server

Network Access Client

Domain Controller

AuthenticationVerifies a remote user's identification to the network service that the remote user is attempting to access (interactive logon)11

22 11

AuthorizationVerifies that the connection attempt is allowed; authorization occurs after a successful logon attempt22

Available Methods of Authentication

Remote and wireless authentication methods include:Remote and wireless authentication methods include:

CHAPPAPSPAPMS-CHAP

CHAPPAPSPAPMS-CHAP

MS-CHAP v2EAP-TLSPEAPMD-5 Challenge

MS-CHAP v2EAP-TLSPEAPMD-5 Challenge

Recommended method for user authentication is by using smart card certificatesRecommended method for user authentication is by using smart card certificates

DomainController

VPN Client

VPN Server

How a VPN Connection Works

A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link

A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link

33 VPN server authenticatesand authorizes the clientVPN server authenticatesand authorizes the client

22 VPN server answers the callVPN server answers the call 44 VPN server transfers

data VPN server transfers data

VPN client calls the VPN serverVPN client calls the VPN server11

Components of a VPN Connection

VPN TunnelTunneling Protocols

Tunneled Data

VPN TunnelTunneling Protocols

Tunneled Data

VPN ClientVPN Client

VPN ServerVPN Server

Address and Name Server AllocationAddress and Name Server AllocationDHCPServer

DomainController

AuthenticationAuthenticationTransit NetworkTransit Network

Remote User to Corp NetRemote User to Corp Net

Remote Access Server

Branch Office to Branch OfficeBranch Office to Branch Office

Remote Access Server

Encryption Protocols for a VPN Connection

Examples of Remote Access Server Using L2TP/IPSec Examples of Remote Access Server Using L2TP/IPSec

Category Description

PPTPEmploys user-level Point-to-Point Protocol (PPP) authentication methods and Microsoft Point-to-Point Encryption (MPPE) for data encryption

L2TP/IPSec

Employs user-level PPP authentication methods over a connection that is encrypted with IPSec

Recommended authentication method for VPN network access is L2TP/IPSec with certificates

Configuration Requirements for a VPN Server

Before adding a remote access / VPN server:Before adding a remote access / VPN server:

Identify which network interface connects to the Internet and which network interface connects to your private network

Identify whether clients receive IP addresses from a DHCP server or the VPN server

Identify whether to authenticate connection requests by RADIUS or by the VPN server

Identify which network interface connects to the Internet and which network interface connects to your private network

Identify whether clients receive IP addresses from a DHCP server or the VPN server

Identify whether to authenticate connection requests by RADIUS or by the VPN server

How Dial-up Network Access Works

DomainController

Dial-up Client

Dial-up networking is the process of a remote access client making a temporary dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider

Dial-up networking is the process of a remote access client making a temporary dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider

33 RA server authenticates and authorizes the clientRA server authenticates and authorizes the client

22 RA server answers the callRA server answers the call 44 RA server transfers

data RA server transfers data

Dial-up client callsthe RA serverDial-up client callsthe RA server11

Remote Access Server

Components of a Dial-up Connection

Dial-up ClientDial-up Client

Address and Name Server AllocationAddress and Name Server AllocationDHCPServer

DomainController

AuthenticationAuthentication

Remote AccessServer

Remote AccessServer

WAN Options:Telephone, ISDN,

X.25, or ATM

WAN Options:Telephone, ISDN,

X.25, or ATM

LAN and Remote AccessProtocols

LAN and Remote AccessProtocols

Authentication methods for dial-up include:Authentication methods for dial-up include:

Authentication Methods for a Dial-up Connection

Remote Access Server Remote

Access User

Strongest method: EAP-TLS with smart cardsStrongest method: EAP-TLS with smart cards

Mutual AuthenticationMutual Authentication

CHAPPAPSPAPMS-CHAP

CHAPPAPSPAPMS-CHAP

MS-CHAP v2 EAP-TLSEAP-MD5 Challenge

MS-CHAP v2 EAP-TLSEAP-MD5 Challenge

Configuration Requirements for a Remote Access Server

Before adding a remote access server for dial-up access:Before adding a remote access server for dial-up access:

Identify whether clients receive IP addresses from a DHCP server or the remote access server

Identify whether to authenticate connection requests by RADIUS or by the remote access server

Verify that users have user accounts configured for dial-up access

Identify whether clients receive IP addresses from a DHCP server or the remote access server

Identify whether to authenticate connection requests by RADIUS or by the remote access server

Verify that users have user accounts configured for dial-up access

Network Access Server

IASServer

DHCP Server

DomainController

Wireless Access Point

Wireless Client

Overview of Wireless Network Access

A wireless network uses technology that enables devices to communicate by using standard network protocols and electromagnetic waves—not network cabling—to carry signals over part or all of the network infrastructure

A wireless network uses technology that enables devices to communicate by using standard network protocols and electromagnetic waves—not network cabling—to carry signals over part or all of the network infrastructure

Standard Description

Infrastructure WLAN

Clients connect to wireless access points

Peer-to-peer WLAN

Network wireless clients communicate directly with each other without the use of cables

Components of a Wireless Connection

DHCPServer

Remote Access Server

DomainController

Wireless Client(Station)

Wireless Client(Station)

Wireless Access Point

Wireless Access Point

Address and Name Server AllocationAddress and Name Server Allocation

AuthenticationAuthentication

PortsPorts

Wireless Standards

Standard Description

802.11A group of specifications for WLANs developed by IEEEDefines the physical and MAC portion of the OSI data-link layer

802.11b11 megabits per secondGood range but susceptible to radio signal interferencePopular with home and small business users

802.11a

Transmissions speeds as high as 54 MbpsAllows wireless LAN networking to perform better for video and conferencing applicationsWorks well in densely populated areasIs not interoperable with 802.11, 802.11b, 802.11g

802.11gEnhancement to and compatible with 802.11b54 Mbps but at shorter ranges than 802.11b

802.1xAuthenticates clients before it lets them on the networkCan be used for wireless or wired LANsRequires greater hardware and infrastructure investment

Authentication Methods for Wireless Networks

802.1x Authentication Methods Description

EAP-MS-CHAP v2Provides mutual authenticationUses certificates for server authentication and password-based credentials for client authentication

EAP-TLS

Provides mutual authentication and is the strongest method of authentication and key determinationUses certificates for both server and client authentication

PEAPProvides support for EAP-TLS and EAP-MS-CHAP v2Encrypts the negotiation process

Lesson: Centralizing Network Access Authentication and Policy Management by Using IAS

What Is RADIUS?

What Is IAS?

How Centralized Authentication Works

How to Configure an IAS Server for Network Access Authentication

How to Configure the Remote Access Server to Use IAS for Authentication

What Is RADIUS?

RADIUS is a widely deployed protocol, based on a client/server model, that enables centralized authentication, authorization, and accounting for network access

RADIUS is a widely deployed protocol, based on a client/server model, that enables centralized authentication, authorization, and accounting for network access

RADIUS is the standard for managing network access for VPN, dial-up, and wireless networks

Use RADIUS to manage network access centrally across many types of network access

RADIUS servers receive and process connection requests or accounting messages from RADIUS clients or proxies

RADIUS is the standard for managing network access for VPN, dial-up, and wireless networks

Use RADIUS to manage network access centrally across many types of network access

RADIUS servers receive and process connection requests or accounting messages from RADIUS clients or proxies

What Is IAS?

IAS, a Windows Server 2003 component, is an industry-standard compliant RADIUS server. IAS performs centralized authentication, authorization, auditing, and accounting of connections for VPN, dial-up, and wireless connections

IAS, a Windows Server 2003 component, is an industry-standard compliant RADIUS server. IAS performs centralized authentication, authorization, auditing, and accounting of connections for VPN, dial-up, and wireless connections

You can configure IAS to support:You can configure IAS to support:

Dial-up corporate access

Extranet access for business partners

Internet access

Outsourced corporate access through service providers

Dial-up corporate access

Extranet access for business partners

Internet access

Outsourced corporate access through service providers

RADIUS Server

RADIUS Server

How Centralized Authentication Works

RADIUS Server

RADIUS Server

RADIUS ClientRADIUS Client

ClientClient

Dials in to a local RADIUS client to gain network connectivityDials in to a local RADIUS client to gain network connectivity

11

Forwards requests to a RADIUS serverForwards requests to a RADIUS server

22

Authenticates requests and stores accounting information

Authenticates requests and stores accounting information

33

Domain ControllerDomain

Controller

Communicates to the RADIUS client to grant or deny accessCommunicates to the RADIUS client to grant or deny access

44

Remote Access Server