INTRODUCTION
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based authentication protocol which is widely used as an authentication method in PPTP-based (Point to Point Tunneling Protocol) VPNs. Microsoft cautions that any organizations that use MS-CHAP v2 without encapsulation in conjunction with PPTP tunnels for VPN connectivity are running in a potentially nonsecure configuration.
Recommendations
Microsoft suggests that organizations using MS-CHAP v2/PPTP implement the Protected Extensible Authentication Protocol (PEAP) in their networks. This mitigates this technique by encapsulating the MS-CHAP v2 authentication traffic in TLS.
Configure PPTP to use PEAP-MS-CHAP v2 for authentication
PEAP-MS-CHAP v2
PEAP with MS-CHAP v2 as the client authentication method is one way to help secure VPN authentication. To enforce the use of PEAP on client platforms, Windows Routing and Remote Access Server (RRAS) servers should be configured to allow only connections that use PEAP authentication, and to refuse connections from clients that use MS-CHAP v2 or EAP-MS-CHAP v2. Administrators must check the corresponding authentication method options on the RRAS server and the Network Policy Server (NPS) server.
Administrators must also confirm the following:
-
Server certificate validation is turned ON. (The default behavior is ON.)
-
Server Name validation is turned ON. (The default behavior is ON.) The correct server name must be specified.
-
The root certificate from which the Server certificate was issued is installed correctly on the client system’s store and is turned ON. (Always ON).
-
On Windows 7, Windows Vista, and Windows XP, the Do not prompt user to authorize new servers or trusted certification authorities check box in the PEAP properties window should be enabled. By default, it is disabled.
Configure the RRAS Server for the PEAP-MS-CHAP v2 authentication method
The procedure for configuring the PEAP-MS-CHAP v2 authentication method for the RRAS server and for turning off the less secure methods MS-CHAP v2 and EAP-MS-CHAP v2 is briefly described in the following steps.
Configure the authentication method for RRAS
To do this, follow these steps:
-
In the RRAS Server Management window, open the Server Properties dialog box, and then click the Security tab.
-
Click Authentication Methods.
-
Make sure that the EAP check box is selected and that the MS-CHAP v2 check box is not selected.
Configure connections for NPS
Configure the Network Policy Server (NPS) to only allow connections from clients that use the PEAP-MS-CHAP v2 authentication method. To configure NPS, follow these steps:
-
Open the NPS UI, click Policies, and then click Network Policies.
-
Right-click Connections to Microsoft Routing and Remote Access Server, and then select Properties.
-
On the Properties UI, click the Constraints tab.
-
In the left Constraints pane, select Authentication Methods, and then click to clear the check boxes for the MS-CHAP and MS-CHAP-v2 methods.
-
Remove EAP-MS-CHAP v2 from the EAP Types list.
-
Click Add, select PEAP authentication method, and then click OK.
Note A valid Server certificate must be installed in the "Personal" store, and a valid root certificate must be installed in the "Trusted Root CA" store of the server before configuring the NPS connection. -
Click Edit, and then select EAP-MS-CHAP v2 as the authentication method.
Configure the RRAS Client for PEAP-MS-CHAP v2 authentication method
Windows VPN clients can be configured to use the PEAP-MS-CHAP v2 authentication method by selecting the corresponding method from the VPN connection properties UI and by installing the appropriate root certificate on the client system.
