Windows Server 2003 Network Access Authentication Methods

  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |

Network Access Authentication Methods: When it comes to the authentication side of the process, you have many options available to you. Always choose the strongest method that does not pose an undue burden on the network and your users.

The recommended method for authentication is smart cards, which use a certificate based system. In order to use that method, however, you need to have a PKI (public key infrastructure) in place, install a computer certificate on the server providing remote access, configure the Smart Card or other TLS (transport layer security) EAP (extensible authentication protocol) in the remote access policy, be able to USE remote access policies, and configure Smart Card authentication on all remote access clients that will use that method. Sounds like a lot It is-but when you consider that it is by far the most secure access method, it is easily worth it.

In addition to EAP/TLS, the following authentication methods are supported:
CHAP
PAP
SPAP
MS-CHAP
MS-CHAPv2
PEAP
MD-5 Challenge.

CHAP stands for Challenge Handshake Authentication Protocol. It is probably the most widely supported, though not all that secure. PAP stands for Password Authentication Protocol. A major drawback to this method is that the passwords are sent in plain text, which means that anyone with a sniffer between the client and the server can capture the password. SPAP stands for Shiva Password Authentication Protocol, and is used by Shiva LANRover systems primarily. The password is encrypted, though lightly.

MS-CHAP stands for Microsoft Challenge Handshake Authentication Protocol. It is supported by Microsoft clients only, and then only from Windows 95 and up.
MS-CHAPv2 is the later version of the Microsoft Challenge Handshake Authentication Protocol, and is the default for Windows 2000 and later operating systems.
PEAP is Protected Extensible Authentication Protocol. It is used with 802.1x wireless systems. Of note is that access is granted based on user identity, rather than on a certificate. It also improves the encryption security for wireless networks.
MD-5 Challenge is Message Digest-5, and is used by EAP systems to provide authentication using standard name/password combinations.

You keep seeing this EAP character, too! EAP is Extensible Authentication Protocol, and extensible is just that. It provides a framework or infrastructure on which custom authentication solutions, such as PEAP, can be developed and implemented.
Now that we have covered the authentication protocols that can be used, lets explore the network access methods themselves. Remember that we have three methods to work from:
Dial-up
VPN
Wireless.

Pop Quiz
Pop Quiz Questions
1. What can be done to block network attacks on a Windows Server 2003
2. Name three network Access clients.
3. If you want to implement a SMART Card-based authentication method, what do you have to have in place first
4. Which authentication method is supported by Windows 2000 clients and higher
5. What does the acronym RADIUS stand for on a Windows Server 2003

Pop Quiz Answers
1. Packet filtering is used to control traffic through a router so it can be a security defense against network attacks.
2. The three network access clients are: VPN, VPN Client using PPTP or L2TP or a dial up client.
3. You need to have a PKI (public key infrastructure) in setup, install a computer certificate on the server providing the remote access, configure the Smart Card or other TLS (transport layer security) EAP (extensible authentication protocol) in the remote access policy, be able to USE remote access policies, and configure Smart Card authentication on all remote access clients that will use that method.
4. MS-CHAPv2 is the default authentication method and is supported by Windows 2000 and Windows XP client operating systems.
5. The RADIUS acronym stands for Remote Authentication Dial-In User Service and is used for remote access on a Windows Server 2003.

Deborah Timmons is a Microsoft Certified Trainer and Microsoft Certified Systems Engineer. She came into the Microsoft technical field after six years in the adaptive technology field, providing technology and training for persons with disabilities. She is the President and co-owner of Integrator Systems Inc.

Rate this Article:
  • Article Word Count: 629
  • |
  • Total Views: 1299
  • |
  • permalink
  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |
>