VPN server Authentication

The Vertual private network server we can be configured to use either Windows or (RADIUS) as an authentication provider. If Windows is selected as the authentication provider, the user credentials sent by users trying VPN connections are authenticated using typical Windows authenticity instrument, and the connection try is authorized using the VPN client’s user account properties and local remote access policies.

If Remote Authentication Dial-In User Service is selected and configuration the Reality provider on the VPN server, user credentials and parameters of the connection request are sent as Remote Authentication Dial-In User Service request messages to a Remote Authentication Dial-In User Service server.

The Remote Authentication Dial-In User Service server accept a user-connection request from the VPN server and authenticates and authorizes the connection attempt. In addition to a yes or no response to an authentication request, Remote Authentication Dial-In User Service can report the VPN server of other applicable connection criteria for this user although maximum session time, static IP address assignment etc.

The Virtual private network server we can be configured to use any one Windows or Remote Authentication Dial-In User Service as an administrator. If Windows is selected as the administrator, the administrator information deposit on the VPN server for later analysis. Logging options can be specified from the properties of the Local File or SQL Server objects in the Remote Access Logging folder in the Routing and Remote Access snap-in. If RADIUS is selected, RADIUS accounting messages are sent to the RADIUS server for accumulation and later analysis.

Mainly RADIUS server's we can be configured to place authentication request records into an modify file. lot of third parties have written billing and audit packages that read RADIUS accounting records and built various useful reports.

The Virtual private network server we can be managed using industry-standard network management protocols. The computer work as the VPN server can go in a Simple Network Management Protocol society as an agent if the Windows Server 2003 SNMP service is installed. The VPN server records management information in many object identify oneself with of the Internet Management Information Base II, which is installed with the Windows Server 2003 SNMP service.

Authentication Protocols:
PAP
Password Authentication Protocol is a clear-text authentication scheme. PAP provides no protection against replay attacks or remote client impersonation once the user's password is compromised.

SPAP
The Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by Shiva Corporation. Currently, this form of authentication is more secure than plain text .

CHAP
Challenge Handshake Authentication Protocol (CHAP) is an encrypted authentication mechanism that prevents transmission of the actual password on the connection. The remote client must use the MD5 one-way hashing algorithm to return the user name and a hash of the challenge, session ID, and the client’s password. The user name is sent as plain text.

MS-CHAP
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is an encrypted authentication mechanism very similar to CHAP. MS-CHAP also provides additional error codes, including a password-expired code, and additional encrypted client-server messages that permit users to change their passwords during the authentication process. In MS-CHAP, both the client and the NAS independently generate a common initial encryption key for subsequent data encryption by MPPE.

MS-CHAP v2
MS-CHAP version 2 (MS-CHAP v2) is an updated encrypted authentication mechanism that provides stronger security for the exchange of user name and password credentials and determination of encryption keys. With MS-CHAP v2, the NAS sends a challenge to the client that consists of a session identifier and an arbitrary challenge string. The NAS checks the response from the client and sends back a response containing an indication of the success or failure of the connection attempt and an authenticated response based on the sent challenge string, the peer challenge string, the encrypted response of the client, and the user's password. The remote access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection.


Source: http://technet.microsoft.com/en-us/library/cc779919(WS.10).aspx#w2k3tr_vpn_how_xokw