1. Implementing SSTP VPN and 802.1x with RADIUS on Windows 2012 Ing. Ondřej Ševeček | Product Manager Windows Server | GOPAS a.s. MCM: Directory | MVP: Security | ondrej@sevecek.com | www.sevecek.com

2. Agenda  SSTP VPN solution  RADIUS (NPS) authentication  EAP-TLS client authentication certificates

3. Network Access Technologies  VPN  SMB/SQL/LDAP/DCOM sensitive to RTT  Remote Desktop  no clipboard, no file proliferation  limited malware surface  802.1x  WiFi or Ethernet  no encryption, authorization only  DirectAccess  GPO managed IPSec tunnel over IPv6

4. Why TLS and certificates?  Much better than a password  SHA-1/RSA 2048 ~ 12 character password  May be bound to a client machine  May be stored in smart card  cannot duplicate

5. Why TLS and certificates? ClientAttackerServer ClientServer Attacker Passive eavesdropping Active MITM Key Key A Key B

6. Why SSTP VPN?  Is not RDP better?  RD Gateway with TLS client certificates?  SSTP runs over HTTPS TCP 443  Minimum server requirements  minimum client requirements

7. VPN Compared ProtocolTransportClientRRAS Server Server Requirements PPTP TCP 1723 IP GRE MS-DOC and newer NT 4.0 and newer- - L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000 and newerIPSec certificate IPSec machine certificate SSTPTCP 443 Vista/2008 and newer 2008 and newerTLS certificate - IKEv2 UDP 500, 4500 IP ESP 7/2008 R2 and newer 2008 R2 and newer IPSec certificate IPSec machine certificate

8. Why RADIUS server?  Standard authentication server  Generic credentials validation  VPN, WiFi 802.1x, Ethernet 802.1x  third-party hardware vendors  VMWare, NAS, …

9. Microsoft RADIUS Server  Standard authentication server  IAS - Internet Authentication Service (2003-)  NPS - Network Policy Service (2008+)  Authentication options  login/password  certificate  Active Directory authentication only

10. RADIUS General Client RADIUS Active Directory VPN WiFi Ethernet RDP GW RADIUS Access Server AD Passthrough Authentication RRAS VPN WiFi AP Ethernet Switch RDP GW DHCP DHCP Server

11. RADIUS Client Terminology  RADIUS clients  RRAS VPN server  DHCP server  WiFi AP, managed Ethernet switch  Access clients  notebook, workstation, phone, …

12. Authentication Methods  PAP, SPAP  clear, hash resp.  CHAP  MD5 challenge response  Store passwords using reversible encryption  MS-CHAP  NTLM equivalent  DES(MD4)  MS-CHAPv2  NTLMv2 equivalent plus improvements (time constraints)  HMAC-MD5 (MD4)  EAP-TLS, PEAP  client authentication certificate  in user profile or in smart/card

13. EAP-TLS Client RADIUS Active Directory EAP-TLS Server Certificate Access Server EAP-TLS Client Certificate VPN Tunnel Server Certificate VPN Tunnel Client Certificate

14. EAP-TLS with SSTP Client RADIUS Active Directory EAP-TLS Server Certificate Access Server EAP-TLS Client Certificate VPN Tunnel Server Certificate

15. Implementing NPS Policy

19. NPS Auditing

20. EAP-TLS on NPS

22. VPN Client Notes  Validates CRL  SSTP  does not use CRL cache  HKLM\System\CCS\Services\SSTPSvc\Parameters  NoCertRevocationCheck = DWORD = 1  IPSec  set global ipsec strongcrlcheck 0  HKLM\System\CCS\Services\PolicyAgent  StrongCrlCheck = 0 = disabled  StrongCrlCheck = 1 = fail only if revoked  StrongCrlCheck = 2 = fail even if CRL not available

23. EAP-TLS Client Settings

24. VPN Client Configuration  Group Policy Preferences  limited options  Connection Manager Administration Kit (CMAK)  create VPN installation packages

25. 802.1x Notes  Required services  WLAN Autoconfig (WlanSvc)  Wired Autoconfig (Doc3Svc)  Group Policy Settings  Windows XP SP3 and newer  full configuration options

26. 802.1x Authentication  User authentication  login/password  client certificate in user profile or in smart card  Computer authentication  MACHINE$ login/password  client certificate in the local computer store  Computer authentication with user re- authentication  since Windows 7 works like charm