Upload
ciara-bowen
View
75
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Virtual Private Networks (Tunnels). VPN with PPTP tunnel. Used if:. All routers support VPN tunnels You are using MS-CHAP or EAP-TLS Router authentication uses user-based certificates. VPN with L2TP tunnel. Used if:. All routers support VPN tunnels - PowerPoint PPT Presentation
Citation preview
Virtual Private Networks(Tunnels)
When Are VPN Tunnels Used?
VPN with PPTP tunnel
Used if:Used if:
All routers support VPN tunnels
You are using MS-CHAP or EAP-TLS
Router authentication uses user-based certificates
All routers support VPN tunnels
You are using MS-CHAP or EAP-TLS
Router authentication uses user-based certificates
VPN with L2TP tunnel
Used if:Used if:
All routers support VPN tunnels
Router authentication uses computer-based certificates or user-based certificates
All routers support VPN tunnels
Router authentication uses computer-based certificates or user-based certificates
Components of Remote Connectivity
Network Access Server (VPN or Dial-Up)
IAS (RADIUS)Server
DHCP Server
DomainController
Network access serviceNetwork access clientsAuthentication serviceActive Directory (not required)
Network access serviceNetwork access clientsAuthentication serviceActive Directory (not required)
Dial-up ClientWireless Access Point
Wireless Client
VPN Client
Configuration Requirements for a Network Access Server
To configure the network access server, you will need to know:To configure the network access server, you will need to know:
Whether the server will also act as a routerAuthentication methods and providers Client access IP address assignmentPPP configuration optionsEvent logging preferences
Whether the server will also act as a routerAuthentication methods and providers Client access IP address assignmentPPP configuration optionsEvent logging preferences
A network access server is a server that acts as a gateway to a network for a clientA network access server is a server that acts as a gateway to a network for a client
What Is a Network Access Client?
Type of Client Description
VPN Client
Connects to a network across a shared or public networkEmulates a point-to-point link on a private network
Dial-up Client
Connects to a network by using a communications network Creates a physical connection to a port on a remote access server on a private network Uses a modem or ISDN adapter to dial in to the remote access server
WirelessClient
Connects to a network by infrared light and radio frequency technologies Includes many different types of devices
What Are Network Access Authentication and Authorization?
Network Access Server
Network Access Client
Domain Controller
AuthenticationVerifies a remote user's identification to the network service that the remote user is attempting to access (interactive logon)11
22 11
AuthorizationVerifies that the connection attempt is allowed; authorization occurs after a successful logon attempt22
Available Methods of Authentication
Remote and wireless authentication methods include:Remote and wireless authentication methods include:
CHAPPAPSPAPMS-CHAP
CHAPPAPSPAPMS-CHAP
MS-CHAP v2EAP-TLSPEAPMD-5 Challenge
MS-CHAP v2EAP-TLSPEAPMD-5 Challenge
Recommended method for user authentication is by using smart card certificatesRecommended method for user authentication is by using smart card certificates
DomainController
VPN Client
VPN Server
How a VPN Connection Works
A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link
A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link
33 VPN server authenticatesand authorizes the clientVPN server authenticatesand authorizes the client
22 VPN server answers the callVPN server answers the call 44 VPN server transfers
data VPN server transfers data
VPN client calls the VPN serverVPN client calls the VPN server11
Components of a VPN Connection
VPN TunnelTunneling Protocols
Tunneled Data
VPN TunnelTunneling Protocols
Tunneled Data
VPN ClientVPN Client
VPN ServerVPN Server
Address and Name Server AllocationAddress and Name Server AllocationDHCPServer
DomainController
AuthenticationAuthenticationTransit NetworkTransit Network
Remote User to Corp NetRemote User to Corp Net
Remote Access Server
Branch Office to Branch OfficeBranch Office to Branch Office
Remote Access Server
Encryption Protocols for a VPN Connection
Examples of Remote Access Server Using L2TP/IPSec Examples of Remote Access Server Using L2TP/IPSec
Category Description
PPTPEmploys user-level Point-to-Point Protocol (PPP) authentication methods and Microsoft Point-to-Point Encryption (MPPE) for data encryption
L2TP/IPSec
Employs user-level PPP authentication methods over a connection that is encrypted with IPSec
Recommended authentication method for VPN network access is L2TP/IPSec with certificates
Configuration Requirements for a VPN Server
Before adding a remote access / VPN server:Before adding a remote access / VPN server:
Identify which network interface connects to the Internet and which network interface connects to your private network
Identify whether clients receive IP addresses from a DHCP server or the VPN server
Identify whether to authenticate connection requests by RADIUS or by the VPN server
Identify which network interface connects to the Internet and which network interface connects to your private network
Identify whether clients receive IP addresses from a DHCP server or the VPN server
Identify whether to authenticate connection requests by RADIUS or by the VPN server
How Dial-up Network Access Works
DomainController
Dial-up Client
Dial-up networking is the process of a remote access client making a temporary dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider
Dial-up networking is the process of a remote access client making a temporary dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider
33 RA server authenticates and authorizes the clientRA server authenticates and authorizes the client
22 RA server answers the callRA server answers the call 44 RA server transfers
data RA server transfers data
Dial-up client callsthe RA serverDial-up client callsthe RA server11
Remote Access Server
Components of a Dial-up Connection
Dial-up ClientDial-up Client
Address and Name Server AllocationAddress and Name Server AllocationDHCPServer
DomainController
AuthenticationAuthentication
Remote AccessServer
Remote AccessServer
WAN Options:Telephone, ISDN,
X.25, or ATM
WAN Options:Telephone, ISDN,
X.25, or ATM
LAN and Remote AccessProtocols
LAN and Remote AccessProtocols
Authentication methods for dial-up include:Authentication methods for dial-up include:
Authentication Methods for a Dial-up Connection
Remote Access Server Remote
Access User
Strongest method: EAP-TLS with smart cardsStrongest method: EAP-TLS with smart cards
Mutual AuthenticationMutual Authentication
CHAPPAPSPAPMS-CHAP
CHAPPAPSPAPMS-CHAP
MS-CHAP v2 EAP-TLSEAP-MD5 Challenge
MS-CHAP v2 EAP-TLSEAP-MD5 Challenge
Configuration Requirements for a Remote Access Server
Before adding a remote access server for dial-up access:Before adding a remote access server for dial-up access:
Identify whether clients receive IP addresses from a DHCP server or the remote access server
Identify whether to authenticate connection requests by RADIUS or by the remote access server
Verify that users have user accounts configured for dial-up access
Identify whether clients receive IP addresses from a DHCP server or the remote access server
Identify whether to authenticate connection requests by RADIUS or by the remote access server
Verify that users have user accounts configured for dial-up access
Network Access Server
IASServer
DHCP Server
DomainController
Wireless Access Point
Wireless Client
Overview of Wireless Network Access
A wireless network uses technology that enables devices to communicate by using standard network protocols and electromagnetic waves—not network cabling—to carry signals over part or all of the network infrastructure
A wireless network uses technology that enables devices to communicate by using standard network protocols and electromagnetic waves—not network cabling—to carry signals over part or all of the network infrastructure
Standard Description
Infrastructure WLAN
Clients connect to wireless access points
Peer-to-peer WLAN
Network wireless clients communicate directly with each other without the use of cables
Components of a Wireless Connection
DHCPServer
Remote Access Server
DomainController
Wireless Client(Station)
Wireless Client(Station)
Wireless Access Point
Wireless Access Point
Address and Name Server AllocationAddress and Name Server Allocation
AuthenticationAuthentication
PortsPorts
Wireless Standards
Standard Description
802.11A group of specifications for WLANs developed by IEEEDefines the physical and MAC portion of the OSI data-link layer
802.11b11 megabits per secondGood range but susceptible to radio signal interferencePopular with home and small business users
802.11a
Transmissions speeds as high as 54 MbpsAllows wireless LAN networking to perform better for video and conferencing applicationsWorks well in densely populated areasIs not interoperable with 802.11, 802.11b, 802.11g
802.11gEnhancement to and compatible with 802.11b54 Mbps but at shorter ranges than 802.11b
802.1xAuthenticates clients before it lets them on the networkCan be used for wireless or wired LANsRequires greater hardware and infrastructure investment
Authentication Methods for Wireless Networks
802.1x Authentication Methods Description
EAP-MS-CHAP v2Provides mutual authenticationUses certificates for server authentication and password-based credentials for client authentication
EAP-TLS
Provides mutual authentication and is the strongest method of authentication and key determinationUses certificates for both server and client authentication
PEAPProvides support for EAP-TLS and EAP-MS-CHAP v2Encrypts the negotiation process
Lesson: Centralizing Network Access Authentication and Policy Management by Using IAS
What Is RADIUS?
What Is IAS?
How Centralized Authentication Works
How to Configure an IAS Server for Network Access Authentication
How to Configure the Remote Access Server to Use IAS for Authentication
What Is RADIUS?
RADIUS is a widely deployed protocol, based on a client/server model, that enables centralized authentication, authorization, and accounting for network access
RADIUS is a widely deployed protocol, based on a client/server model, that enables centralized authentication, authorization, and accounting for network access
RADIUS is the standard for managing network access for VPN, dial-up, and wireless networks
Use RADIUS to manage network access centrally across many types of network access
RADIUS servers receive and process connection requests or accounting messages from RADIUS clients or proxies
RADIUS is the standard for managing network access for VPN, dial-up, and wireless networks
Use RADIUS to manage network access centrally across many types of network access
RADIUS servers receive and process connection requests or accounting messages from RADIUS clients or proxies
What Is IAS?
IAS, a Windows Server 2003 component, is an industry-standard compliant RADIUS server. IAS performs centralized authentication, authorization, auditing, and accounting of connections for VPN, dial-up, and wireless connections
IAS, a Windows Server 2003 component, is an industry-standard compliant RADIUS server. IAS performs centralized authentication, authorization, auditing, and accounting of connections for VPN, dial-up, and wireless connections
You can configure IAS to support:You can configure IAS to support:
Dial-up corporate access
Extranet access for business partners
Internet access
Outsourced corporate access through service providers
Dial-up corporate access
Extranet access for business partners
Internet access
Outsourced corporate access through service providers
RADIUS Server
RADIUS Server
How Centralized Authentication Works
RADIUS Server
RADIUS Server
RADIUS ClientRADIUS Client
ClientClient
Dials in to a local RADIUS client to gain network connectivityDials in to a local RADIUS client to gain network connectivity
11
Forwards requests to a RADIUS serverForwards requests to a RADIUS server
22
Authenticates requests and stores accounting information
Authenticates requests and stores accounting information
33
Domain ControllerDomain
Controller
Communicates to the RADIUS client to grant or deny accessCommunicates to the RADIUS client to grant or deny access
44
Remote Access Server