NETWORK ACCESS SOLUTIONS

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |ondrej@sevecek.com | www.sevecek.com |

NETWORK ACCESS SOLUTIONSTroubleshooting Remote Access

Network Access Technologies

VPN SMB/SQL/LDAP/DCOM sensitive to RTT

Remote Desktop no clipboard, no file proliferation limited malware surface

802.1x WiFi or Ethernet no encryption, authorization only

DirectAccess GPO managed IPSec tunnel over IPv6

Web Application Proxy HTTPS reverse proxy for web applications

RDP

VPN ScenarioVPN

Client

VPN Gateway

DCFS

SQL

RADIUS

SharePoint

RDP

DA ScenarioDA

Client

DA Server

DCFS

SQL

RADIUS

SharePoint

WksWks

RDP

RDP ScenarioRDP

Client

RDP Gateway

DCFS

SQL

RADIUS

SharePoint

Wks

RDP

802.1x WiFi Scenario

WiFiClient

DCFS

SQL

RADIUS

WiF

iAP

SharePoint

RDP

802.1x Ethernet Scenario

Wks

DCFS

SQL

RADIUS

Switch

SharePoint Wks

Printer

Exchange

WAP ScenarioWeb

Browser or GUI client

Web Application

Proxy

DC

Web

Lync

AD FS

SharePoint

VPN Compared

Protocol Transport Client RRAS ServerServer Requirements

PPTPTCP 1723IP GRE

MS-DOS and newerNT 4.0 and newer -

-

L2TPUDP 500, 4500IP ESP

NT 4.0, 98and newer

2000 and newerIPSec certificatepublic namePublic IPIPSec machine

certificate

SSTPTCP 443TLS

Vista/2008 and newer2008 and newer

TLS certificatepublic name

-

IKEv2UDP 500, 4500IP ESP

7/2008 R2 and newer2008 R2 and newer

IPSec certificatepublic namePublic IP

IPSec machinecertificate

VPN Compared

Protocol Transport Client RRAS ServerServer Requirements

RD GatewayTCP 443TLS

RDP Client 6.0and newer 2008 and newer

TLS certificatepublic name

-

DirectAccess

IPSec insideIPv6 insideTCP 443 TLSor Teredo/6-to-4

7/2008 R2 EntepriseIPv6 enabled, GPO

2012 and newerIPSec certificateTLS certificatepublic nameIPSec machine

certificate

Web Application Proxy

HTTPSweb browserGUI web client (office)

2012 R2 and newer WAP and AD FS server

TLS certificatepublic nameTLS certificate for AD FS

Network Access Protection (NAP)

Client health validation before connecting

Firewall on?

Windows up-to-date?

Antimalware up-to-date?

SCCM compliance items in order?

Client validates itself

no security, only an added layer of obstruction

Microsoft RADIUS Server

Standard authentication server

IAS - Internet Authentication Service (2003-)

NPS - Network Policy Service (2008+)

Authentication options

login/password

certificate

Active Directory authentication only

Clear-text transport with signatures

message authenticator (MD5)

RADIUS General

Access Client

RADIUS

Active Directory

VPN

WiFi

Ethernet

RDP GWRADIUS

Access Server

AD PassthroughAuthentication

RRAS VPN

WiFi AP

Ethernet Switch

RDP GW

DHCP

DHCP Server

RADIUS Terminology

Access Client

RADIUS

Active Directory

VPN

WiFi

Ethernet

RDP GWRADIUS

RADIUS Client

AD PassthroughAuthentication

RRAS VPN

WiFi AP

Ethernet Switch

RDP GW

DHCP

DHCP Server

Authentication Methods

PAP, SPAP clear, hash resp.

CHAP MD5 challenge response, Store passwords using reversible encryption

MS-CHAP NTLM equivalent, DES(MD4)

MS-CHAPv2 NTLMv2 equivalent plus improvements (time constraints), HMAC-MD5 (MD4)

EAP+MS-CHAPv2 MS-CHAPv2 equivalent, different packeting

EAP+PEAP+MS-CHAPv2 MS-CHAPv2 wrapped in TLS

EAP+PEAP+TLS client authentication certificate, in user profile or in smart/card

No authentication sometimes the authentication occurs on the Access Server itself (RD Gateway)

REMOTE ACCESS AUTHENTICATION

Troubleshooting Remote Access

PPTP issues

MPPE encryption

proprietary, RC4

Encrypted by authentication products

"by" password or "by" certificate

PAP/SPAP/EAP travels in clear

EAP-TLS vs. PEAP

EAP-TLS is designed for protected transport

does not protect itself

Protected EAP

EAP wrapped in standard TLS

EAP/PEAP Generic

Access Client

RADIUS

Active Directory

EAP/PEAP Server

Certificate

Access Server

EAP/PEAP Client

Certificate

VPN Tunnel Server

Certificate

VPN Tunnel Client

Certificate

MS-CHAPv2 with SSTP

Access Client

RADIUS

Active Directory

Access Server

VPN Tunnel Server

Certificate

EAP + MS-CHAPv2 with SSTP

Access Client

RADIUS

Active Directory

Access Server

VPN Tunnel Server

Certificate

EAP + TLS with SSTP

Access Client

RADIUS

Active Directory

EAP TLSServer

Certificate

Access Server

EAP TLS Client

Certificate

VPN Tunnel Server

Certificate

EAP + PEAP + MS-CHAPv2 with SSTP

Access Client

RADIUS

Active Directory

PEAP TLS Server Certificate

Access Server

VPN Tunnel Server

Certificate

EAP + PEAP + TLS with SSTP

Access Client

RADIUS

Active Directory

PEAP TLS Server Certificate

Access Server

EAP TLS Client

Certificate

VPN Tunnel Server

Certificate

EAPTLS Server Certificate

RADIUS Clients configuration

IP address of the device

can translate from DNS, but must match IP address of the device (no reverse DNS)

Shared secrets

MD5(random message authenticator + shared secret)

NETSH NPS DUMP ExportPSK=YES

Implementing NPS Policy

Implementing NPS Policy

Implementing NPS Policy

Implementing NPS Policy

NPS AuditingAudit Network Policy Server

802.1x Auditing on ClientsAudit Other Logon/Logoff Events

PEAP on NPS

PEAP on NPS

VPN Client Notes

Validates CRL

SSTP does not use CRL cache HKLM\System\CCS\Services\SSTPSvc\Parameters NoCertRevocationCheck = DWORD = 1

IPSec set global ipsec strongcrlcheck 0 HKLM\System\CCS\Services\PolicyAgent StrongCrlCheck = 0 = disabled StrongCrlCheck = 1 = fail only if revoked StrongCrlCheck = 2 = fail even if CRL not available HKLM\System\CCS\Services\IPSec AssumeUDPEncapsulationContextOnSendRule = 2

PEAP Client Settings

VPN Client Configuration

Group Policy Preferences

limited options

Connection Manager Administration Kit (CMAK)

create VPN installation packages

SSTP VPN troubleshooting

https://vpn.gopas.cz/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/

802.1x Notes

Required services

WLAN Autoconfig (WlanSvc)

Wired Autoconfig (Doc3Svc)

Group Policy Settings

Windows XP SP3 and newer

full configuration options

802.1x Authentication

User authentication

login/password

client certificate in user profile or in smart card

Computer authentication

MACHINE$ login/password

client certificate in the local computer store

Computer authentication with user re-authentication

since Windows 7 works like charm

MS-CHAPv2 with 802.1x

Access Client

RADIUS

Active Directory

APswitchsingle

Ethernetcable

WiFi

EAP/PEAP/TLS with 802.1x

Access Client

RADIUS

Active Directory

APswitchsingle

Ethernetcable

WiFi

EAP/PEAP Client

Certificate

User MachineEAP-TLS

Server Certificate

EAP/PEAP Server

Certificate

RD Proxy Troubleshooting

RPCPING-t ncacn_http-e 3388-s localhost (local TSGateway COM service)-v 3 (verbose output 1/2/3)-a connect (conntect/call/pkt/integrity/privacy)-u ntlm (nego/ntlm/schannel/kerberos/kernel)-I "kamil,gps,*"

-o RpcProxy=gps-wfe.gopas.virtual:443-F ssl-B msstd:gps-wfe.gopas.virtual-H ntlm (RPCoverHTTP proxy authentication ntlm/basic)-P "proxykamil,gps,*"

-U NTLM (HTTP proxy authentication ntlm/basic) rpcping -t ncacn_http -e 3388 -s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o

RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz -H ntlm -P "kamil,gps,Pa$$w0rd"

RPC Proxy Troubleshooting

https://rpcserver/Rpc/RpcProxy.dll

https://rpcserver/RpcWithCert/RpcProxy.dll