CHAPTER 21

                             CONFIGURING REMOTE ACCESS

 

 

Lesson 1:  Understanding the New Authentication Protocols in 

Windows 2000

 

The extensible Authentication Protocol (EAP) is an extension to the Point-to-Point protocol (PPP)

that works with dial-up, PPTP, and L2TP clients.  EAP allows for arbitrary authentication mechanism

to validate a dial-in client and remote access server.  EAP supports authentication by using the following:

 

Generic token cards.  A physical card used to provide passwords. 

MD5-CHAP.  The Message Digest 5 Challenge Handshake Authentication Protocol.  This protocol

encrypts user names and passwords with an MD5 algorithm.

 

Transport Level Security (TLS).  TLS is used for smart card support or other certificates.  Smart cards

require a card and reader.  The smart card electronically stores the user’s certificate and private key.

 

By using the EAP application programming interfaces, independent software vendors can supply new

client and server authentication modules for technologies such as token cards, smart cards, biometric

hardware such as retina scanners, or one-time password systems.

 

Passwords can be sent encrypted, or clear text.  A Key is what is used to encrypt a file.

 

 

The Remote Authentication Dial-in User Service

 

The  diversity of hardware and operating systems in today’s enterprise networks requires remote

user authentication to be vendor-independent and scaleable.  Remote Authentication Dial-in User

Services (RADIUS) support in Windows 2000 facilitates this kind of user authentication, while

providing highly scaleable authentication designs for performance and fault-tolerant designs for reliability.

 

RADIUS provides authentication and accounting services for distributed dail-up networking.  Windows

2000 can act as a RADIUS client, a RADIUS server or both.

 

A RADIUS server validate the RADIUS client request.  Windows 2000 Internet Authentication

Services (IAS) performs authentication.

 

RADIUS is compatible, it authenticates user login no matter where you logon.  Faster logon, only

one central spot for the clients to logon.

 

 

 

 

======================================================================

 

winpro21.html                                                 PAGE 2                                                       2001/12/19

 

 

 

Internet Protocol Security

 

Internet Protocol Security is a set of security protocols and cryptographic protection services for

ensuring secure private communications over IP networks.

 

The Layer Two Tunneling Protocol

 

L2TP is similar to PPTP in that its primary purpose is to create an encrypted tunnel through an

untrusted network.  L2TP differs from PPTP in that it provides tunneling but not encryption.

 

 

Some of the Key differences between PPTP and L2TP are as follows:

 

•   PPTP requires an IP-based transit internetwork.L2TP requires only that the tunnel

media provide packet-oriented, point-to-point connectivity.

•   L2TP supports header compression; PPTP does not.
•   L2TP support tunnel authentication, while PPTP does not.
•   PPTP uses PPP encryption.  L2TP requires IPSec for encryption.

 

 

The Bandwidth Allocation Protocol

 

In Windows NT 4, Remote Access Service (RAS) supports basic Multilink capabilities.

You can enable multilink and BAP protocols on a serverwide basis from the PPP tab of each

remote access server’s Properties.

 

 

 

Lesson Summary:

 

•   The protocols that provide tunneling capabilities are:
•   PAP, CHAP, MS-CHAP, SPAP, and PPTP.
•   Windows 2000 includes support for these and several additional protocols that

drastically increase your authentication, encryption, and multilinking options.

•   EAP, and extension of PPP that works with dial-up, PPTP, and L2TP clients.
•   RADIUS which allows user authentication to be vendor-independent and provides

highly scaleable authentication designs for performance and fault-tolerant designs for

reliability.

•   BAP and BACP, which enhance multilinked devices by dynamically adding or

dropping links on demand.

 

 

 

======================================================================

 

winpro21.html                                                 PAGE 3                                                       2001/12/14

 

 

 

Lesson 2:  Configuring Inbound Connections

 

Inbound connections are one of the types of network connections that you can create by using the

Network Connection Wizard.

 

To configure and administer inbound connections on a computer running Windows 2000 Professional,

you use the Network Connection wizard.  To access the Network Connection wizard, Start/Settings/

Network and Dial-up Connections/Double Click Make Connection.

 

 

Configuring Devices for Incoming Connections

 

 

Once you have selected Incoming Connections, click Next.  The devices for Incoming Connections

page appears, so you can choose one of the available devices on your computer to accept incoming

calls.

 

 

Selecting Networking Components

 

After you specify the callback options, you are ready to choose the networking components you

want to enable for incoming connections.  You can all install additional networking components by

clicking Install.  Select the Protocol, insert the Windows 2000 Professional CD-ROM in the CD-ROM

drive, then click OK.  Windows 2000 installs the protocol.

 

 

Lesson Summary:

 

•   You can configure inbound connections with the Windows 2000 Professional Network

Connection Wizard.

•   You can click the properties, to configure them.

 

 

Lesson 3: Configuring Outbound Connections

 

Dial-up connections include outbound dial-up connections to either a private network or to an ISP.

 

 

 

 

=======================================================================

 

winpro21.html                                                 PAGE 4                                                         2001/12/14

 

 

 

•   I want to Sign up for a New Internet Account.  You must choose the ISP you want.
•   I want to Transfer my Existing Internet Account to this Computer.
•   I want to set up my Internet Account Manually, or I want to connect through a local

area Network (LAN).

 

 

NOTE:  To configure internet connection sharing, ensure that Enable Internet Connection Sharing

for This connection is selected on the Sharing tab of the connection’s properties.

 

 

 

Connections to a Virtual Private Network

 

A VPN is a network that is created by using tunneling protocols such as PPTP or L2TP to create

secure connections across an untrusted network.  To create a new VPN connection, you also use

the Network Connection wizard.  On the Network Connection Type page, click Connect to a

private Network through the Internet.

 

 

Direct Connections to Another Computer Through a Cable:

 

 

• If your computer will be the host for the connection, click Host.
• If your computer will be the guest for the connection, click Guest.

 

 

Lesson Summary:

 

•   Understanding the options found in the wizard will help you to configure the three

basic types of outbound connections efficiently.

•   The three types of outbound connections are dial-up connections, Connections to

VPN, and direct connections to another computer through a cable.

•   You cannot take encrypted files into another country.
•   Site/group/domain or global enterprise the the IPSec policies.
•   Start/Administrative Tools/Local Security Settings
•   Tunneling can be accessed by the Internet.
•   L2TP does not do the encryption, IPSec does it for it.  L2TP was created after

PPTP.

•   The Envelope analogy is a good way to describe it.  You can send it to several

different addresses.

•   PPTP uses PPP encryption.  L2TP requires Ipsec for encryption.
•   Bandwidth, you can have pay as you go bandwidth to save money.
•   Dynamic Bandwidth, assigned bandwidth to users as required.
•   Do not allow Call Back, is used for security purposes.