After reading Schneier's article "Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)" (http://www.schneier.com/paper-pptpv2.html
) I am reasonably comfortable using PPTP in our business subject to the following caviets:
* Complex passwords not based on dictionary words (even with the addition or changing of letters (e.g. l to 1 and e to 3). We use a 30 character password generated by a password generator.
* MS-CHAPv1 is disabled on the firewall to allow no possibility of a Version Rollback attack
I have had a request to use Microsoft's RADIUS server at a branch to link to their VPN config, the reason being it will allow integration with Active Directory and common passwords.
Given that most users have pretty basic passwords, normally based on dictionary words, I have grave concerns about the security of this approach. But I'm not a RADIUS expert so I'm not sure if it provides additional security over and above that normally provided.
I'm looking for an answer to explain if RADIUS integrated with AD will require the 30 character passwords we currently use to provide the same level of security as what we currently have.
** Please, don't advise to use IPSec or SSL or another VPN - that's not what I'm asking in this question **