As promised, I’m going to change our SSTP VPN connection, so that it can take advantage of a proper Radius server for better authentication. The new NPS server role (Network Policy Server) will do just that (and more). NPS is the new IAS server and we are going to play with this server role, and add PEAP authentication (initially using EAP-MSCHAP V2) and finally using certificates (we do have our own CA, so we are all set for authentication using certificates). In the next post, we are going to use NAP (network access protection) to further secure our network and VPN connection.
So let’s just install the NPS server role, as always we go to the server manager, roles and scroll down to Network Policy and access services and press add role services. Select Network Policy Server and press next.
There is nothing more to configure, so just press install and the installation should begin.
This will take a short while, when it’s finished, press close and we have our radius server installed.
In Windows Server 2003 we needed to setup a radius client inside the Radius server (IAS) and set Remote access to use our IAS server. In server 2008, we don’t need to do that, as Remote access is aware that we run a local NPS server.
So from now on, we need to setup any authentication at the NPS server, but before we do that we have to change RAS to use EAP, go to Network policy and access services inside the server manager, then to routing and remote access, right mouse click and properties, then on the security tab, press authentication methods and select Extensible authentication protocol (EAP) and de-select Microsoft encrypted authentication version 2 (MS-CHAP V2). Press Ok twice to get back.
Setup automatically created a connection request profile for our remote access VPN server, we just need to change it to enable PEAP. Go to NPS (local), then to policies, finally to connection request policies, and we should have a policy named Microsoft routing and remote access service policy:
Select that policy by double clicking it, and you should see the following screen:
Here you see the name of the policy, that it’s enabled and the type (VPN Dial up). Click on the settings tab, here we are going to set the authentication methods that we will allow for our VPN connection. First of all, tick the override network policy authentication settings and deselect all the less secure authentication methods, and add the following EAP type: Microsoft protected EAP (PEAP), This should be the only one listed, so delete any that might be there except this one.
Press edit and add smart card or other certificate, which we are going to use later on, when we move from password authentication to certificate authentication. Also make sure that Enable quarantine checks is ticked (we are going to use this feature in my next post when we add NAP.)
Also once we moved to certificate authentication, we could remove the secured password option and have just smart card or other certificate selected. Alternatively we could select the certificate that the server uses to identify itself, I leave it at the default selected. Press ok twice to save the options.
Now we need to change the connection at the client side. Go to network connections and change our VPN connection, go to the security tab, press settings, deselect Microsoft CHAP version 2, and select use extensible Authentication Protocol (EAP) and select Protected EAP (PEAP) Encryption enabled then press properties, leave validate server certificate, deselect connect to these servers, select authentication method: Secured password (EAP-MSCHAP V2) and tick enable quarantine checks (this is for NAP in my next post). Press ok three times, and make the connection.
We should get a dialogue box, to verify the server certificate, just press okay, this box won’t appear again. If we look at the details of our connection we will see:
It’s still a SSTP connection, but the authentication now is EAP. More secure then the previous MS-Chap V2.
The next step is to only allow certificate authentication and also to install the web enrollment role service to ease the distribution of certificates, since we are going to need a client certificate to make our SSTP connection.
Let’s install it, by going to server manager, roles, scroll down to active directory certificate services and press add service role, select Certificate Authority web enrollment, press add required role services, as the OS wants to add some IIS components, press next, again next, yet another time next, and finally press install to install the role services. When the install is finished just press close.
Now the install of the CA web enrollment wasn’t strictly necessary, but I wanted to show you this as well, and it does make a nice way to request a certificate, also since we need to request user certificates, so we could simply logon to the web enrollment webserver using the user-id that is going to use the certificate, we could do that from any computer, and save the certificate and install it later, on the client computer, or in our case (our client is still on the same network) we could do it directly on the client PC.
Before we can do this, we need to assign a certificate to our default website, as the webenrollment webserver requires SSL, to make sure we don’t run into problems, we will assign the same certificate as we have used for SSTP. So in IIS, right click the default website, select edit bindings and add a HTTPS binding using the VPN.testcompany.nl certificate, in my case I had two, so enter the netsh http show ssl command to find out which certificate SSTP is using, select the certificate with the same thumbprint as in the netsh output. If you get a conflict warning about certificate binding, just press ok.
Now we are ready to request that certificate on the client, start Internet explorer and enter the following address:
https://vpn.testcompany.nl/certsrv, login using the user-id we used for our vpn connection, (I used test, and make sure you enter it as domain\user, ie. testcompany\test and the password. Then you should see the webenrollment website.
Press request a certificate, and then user certificate. If you get a warning message about running outside of protected mode, press allow.
Another screen where you just press submit, another dialogue, press yes, and another warning message, allow, then press install this certificate. another warning (thanks to all the warnings, this post is going to be long), yes, and we are done. We now have a user certificate that will allow us to connect to our VPN server. So let’s just first disable the password authentication (on our NPS radius server), server manager, roles, network policy and access services, NPS (local), policies, connection request policies, Microsoft routing and remote access service policy, double click, settings, select Microsoft protected EAP (PEAP), press edit and remove secured password (EAP MS-chap V2). So now we are only to authenticate using certificates not passwords.
Let’s go back to the client and verify that we will not be able to connect using passwords, so don’t change anything and try to connect.
Indeed an error message, we are still trying to connect using that PEAP MS chap V2 password, but we have set the policy in NPS to only allow smartcard or other certificate, so we need to change our connection accordingly.
So change the connection, security tab, settings, and press the properties under EAP, now select smartcard or other certificate instead of secured password (EAP-MSCHAP V2), (make sure the enable quarantine checks is still checked, for NAP..), and press configure, select use a certificate on this computer, deselect connect to these servers. and press ok, and three times more ok.
Try to connect, which should succeed now, you will get another certificate dialogue box (don’t worry, again one time only, if we would have unchecked the validate server certificate option this dialogue would not pop up).
Connection succeeded, so now we have secured our connection further by only allowing PEAP, but additionally by only allowing certificates or smartcards, not passwords.
In the next post, we are going to add Network Access Protection to our SSTP VPN connection, to make it even more secure.
See you later 🙂