VPN or Virtual Private Network is a technology that offers a secure way to establish communication channels between devices by using the public Internet. As a concept, VPN offers three main features: encapsulation, authentication and encryption. These features play an important role because they ensure data is not compromised by a potential attacker. A common VPN scenario would be something like in the following example: a client would try to connect to a VPN server or a dedicated VPN equipment to establish a secure tunnel with the destination network. Before the client can access network resources, the VPN server must first authenticate the connection. There are several authentication protocols supported by Windows Server 2012 or 2008. The Server will always try to use the strongest authentication method and then proceed with the others if the process is not successful. In this article I will try to create a summary of the authentication protocols used with Windows Server Editions and we’ll see what are the differences between them.
EAP-TLS (Extensible Authentication Protocol – Transport Layer Security) – One of the most secured authentication protocols used today that takes advantage of TLS (Transport Layer Security). Can be implemented on a Windwos Server 2008 or 2012 that is part of an Active Directory Infrastructure. EAP-TLS can be used by VPN clients authenticating using either smart-cards or certificates. This technology offers a secure authentication protocol because each client must store a valid X.509 certificate. This means that besides the client’s password, an attacker must get access to the private key of the certificate in order to infiltrate the network. If your company decides to store certificates within smart-cards, you increase network security even further because smart-cards can be compromised only by physical theft. Within the corporate network you would need to deploy a Certificate Authority to issue digitally signed certificates for VPN clients.
MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) – this authentication protocol is enabled by default on Windows Server Editions. MS-CHAP v2 offers a two-way authentication mechanism which verifies the identity of the VPN server and the VPN client. Both parties authenticate with each other by using two different cryptographic keys. MS-CHAP v2 uses a unique session identifier and user credentials to generate encryption keys unlike EAP-TLS which takes advantage of digital certificates.
CHAP (Challenge Handshake Authentication Protocol) – is an older authentication protocol that uses MD5 hash algorithms to send the authentication requests. The VPN Server sends a challenge to the VPN client which in turn responds with an MD5 hash result that is composed of the challenge and the user’s password. The VPN Server calculates the user’s hash locally and compares the result with the hash received from the VPN client. If these two hashes match, then the user is granted network access. You should use this authentication mechanism if EAP-TLS is not supported within your network.
EAP-MD5 CHAP (EAP-Message Digest 5 Challenge Handshake Authentication Protocol) – a version of CHAP that takes advantage of EAP framework. Offers encryption of authentication data using MD5 hasing. It has a lot of weakness and it’s known as being vulnerable to dictionary attacks. It offers authentication from client to server but not the other way around, this is why EAP-MD5 CHAP is vulnerable to man-in-the-middle attacks. Was used with older Windows Server Editions and should not be used anymore.
SPAP and PAP – two simple authentication protocols that are not widely used since they use basic authentication mechanisms and are susceptible to external attacks. PAP uses plain-text passwords that are sent to the server for authentication. With SPAP the password is encrypted before it’s sent to the server. SPAP uses a two-way encryption algorithm, but it’s not a secured authentication protocol. You should not use these two protocols for VPN authentication
These are the VPN authentication protocols that can be used with Windows Server Editions. Whenever possible choose the strongest algorithm to ensure data confidentiality against foreign attacks. Hope you’ll find this article interesting and use it to enhance your Windows Server VPN knowledge. Wish you all the best and stay tuned for the following articles.