Implementing SSTP VPN and 802.1x with RADIUS on Windows 2012 Ing. Ondřej Ševeček | Product Manager Windows Server | GOPAS a.s. MCM: Directory | MVP: Security | |

Agenda  SSTP VPN solution  RADIUS (NPS) authentication  EAP-TLS client authentication certificates

Network Access Technologies  VPN  SMB/SQL/LDAP/DCOM sensitive to RTT  Remote Desktop  no clipboard, no file proliferation  limited malware surface  802.1x  WiFi or Ethernet  no encryption, authorization only  DirectAccess  GPO managed IPSec tunnel over IPv6

Why TLS and certificates?  Much better than a password  SHA-1/RSA 2048 ~ 12 character password  May be bound to a client machine  May be stored in smart card  cannot duplicate

Why TLS and certificates? ClientAttackerServer ClientServer Attacker Passive eavesdropping Active MITM Key Key A Key B

Why SSTP VPN?  Is not RDP better?  RD Gateway with TLS client certificates?  SSTP runs over HTTPS TCP 443  Minimum server requirements  minimum client requirements

VPN Compared ProtocolTransportClientRRAS Server Server Requirements PPTP TCP 1723 IP GRE MS-DOC and newer NT 4.0 and newer- - L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000 and newerIPSec certificate IPSec machine certificate SSTPTCP 443 Vista/2008 and newer 2008 and newerTLS certificate - IKEv2 UDP 500, 4500 IP ESP 7/2008 R2 and newer 2008 R2 and newer IPSec certificate IPSec machine certificate

Why RADIUS server?  Standard authentication server  Generic credentials validation  VPN, WiFi 802.1x, Ethernet 802.1x  third-party hardware vendors  VMWare, NAS, …

Microsoft RADIUS Server  Standard authentication server  IAS - Internet Authentication Service (2003-)  NPS - Network Policy Service (2008+)  Authentication options  login/password  certificate  Active Directory authentication only

RADIUS General Client RADIUS Active Directory VPN WiFi Ethernet RDP GW RADIUS Access Server AD Passthrough Authentication RRAS VPN WiFi AP Ethernet Switch RDP GW DHCP DHCP Server

RADIUS Client Terminology  RADIUS clients  RRAS VPN server  DHCP server  WiFi AP, managed Ethernet switch  Access clients  notebook, workstation, phone, …

Authentication Methods  PAP, SPAP  clear, hash resp.  CHAP  MD5 challenge response  Store passwords using reversible encryption  MS-CHAP  NTLM equivalent  DES(MD4)  MS-CHAPv2  NTLMv2 equivalent plus improvements (time constraints)  HMAC-MD5 (MD4)  EAP-TLS, PEAP  client authentication certificate  in user profile or in smart/card

EAP-TLS Client RADIUS Active Directory EAP-TLS Server Certificate Access Server EAP-TLS Client Certificate VPN Tunnel Server Certificate VPN Tunnel Client Certificate

EAP-TLS with SSTP Client RADIUS Active Directory EAP-TLS Server Certificate Access Server EAP-TLS Client Certificate VPN Tunnel Server Certificate

Implementing NPS Policy

NPS Auditing

EAP-TLS on NPS

VPN Client Notes  Validates CRL  SSTP  does not use CRL cache  HKLM\System\CCS\Services\SSTPSvc\Parameters  NoCertRevocationCheck = DWORD = 1  IPSec  set global ipsec strongcrlcheck 0  HKLM\System\CCS\Services\PolicyAgent  StrongCrlCheck = 0 = disabled  StrongCrlCheck = 1 = fail only if revoked  StrongCrlCheck = 2 = fail even if CRL not available

EAP-TLS Client Settings

VPN Client Configuration  Group Policy Preferences  limited options  Connection Manager Administration Kit (CMAK)  create VPN installation packages

802.1x Notes  Required services  WLAN Autoconfig (WlanSvc)  Wired Autoconfig (Doc3Svc)  Group Policy Settings  Windows XP SP3 and newer  full configuration options

802.1x Authentication  User authentication  login/password  client certificate in user profile or in smart card  Computer authentication  MACHINE$ login/password  client certificate in the local computer store  Computer authentication with user re- authentication  since Windows 7 works like charm