PPTP and RADIUS - how secure?

After reading Schneier's article "Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)" (http://www.schneier.com/paper-pptpv2.html) I am reasonably comfortable using PPTP in our business subject to the following caviets:

* Complex passwords not based on dictionary words (even with the addition or changing of letters (e.g. l to 1 and e to 3).  We use a 30 character password generated by a password generator.

* MS-CHAPv1 is disabled on the firewall to allow no possibility of a Version Rollback attack

I have had a request to use Microsoft's RADIUS server at a branch to link to their VPN config, the reason being it will allow integration with Active Directory and common passwords.

Given that most users have pretty basic passwords, normally based on dictionary words, I have grave concerns about the security of this approach. But I'm not a RADIUS expert so I'm not sure if it provides additional security over and above that normally provided.

I'm looking for an answer to explain if RADIUS integrated with AD will require the 30 character passwords we currently use to provide the same level of security as what we currently have.

** Please, don't advise to use IPSec or SSL or another VPN - that's not what I'm asking in this question **

Who is Participating?
scwoaConnect With a Mentor Commented:
>> What password should be 130 characters
 I meant the maximum length of the password that works with Radius, is listed at 130 characters.   No, I dont have passwords that long and I have not tried it.

>>using Radius offers no benefit over using the same password as a standard PPTP password?
Radius is just an authentication mechanism, it does not provide any more security.  

According to RFC 2865, the length of the password can be up to 130 characters.

See page 26 or 27, section 5.2


If your Active directory password policy requires it, then Radius should do it.   Radius is just passing the user name \ password back to Active directory.
Also, I assume you have an account lockout policy in place.
tonydav67Author Commented:
I'm not sure I follow what you're saying.  What password should be 130 characters? I'm assuming you don't mean the users AD password?
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Rich RumbleSecurity SamuraiCommented:
As you've said, the security is only as good as the passwords choosen for the current versions of M$ PPTP. The old one... well it was laughable: http://www.schneier.com/pptp-faq.html
Radius can be used for the authentication instead of the MS-CHAP or TLS (aka ssl), all very good authentication mechanisms. If your AD policy is 30 chars minimum, and you didn't use a different group policy for the VPN users or that office, then yes, 30 chars would be required for those users.

Newer vpn/tunneling protocols offer you more security, and using a pre-shared key or certificate will give you more security (in theory) than even a 30 char password. The certificate does the encryption, and the user's passwords are just for the authentication, allowing data to pass after the tunnel is established and encrypted using the cert/pre-shared key.

tonydav67Author Commented:
So if the user wants to keep their standard AD passwords (e.g. first son's name and age or something else pretty easy to work out with a dictionary attack) using Radius offers no benefit over using the same password as a standard PPTP password?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Well PPTP isn't an encrypted protocol... but M$ adds MMPE for that, and MMPE derives the encryption from MS-Chap, so if chap is not use, it might default to the native GRE tunnel that PPTP typically is.

Again, I've not tried to sniff and find out, but it sounds like you'd decrease your security if you relied on PPTP+Radius only. Again IPSEC/SSL protocols are better choices for a number of reasons. As stated above, Radius is only Authentication.
tonydav67Author Commented:
Okay, I think it's as I suspected which is unless they want to change their AD passwords to 30 character ones (e.g. of current pw:" 3XRJ4MjC5MC%oa%1B#!hiaeMsWiNUZ") then we should continue to not use Radius as obviously no one would want to type the pw in the example in every morning when thye login to the server. With the PPTP client setup we cache this for that user only. A small risk I feel and the staff are under instructions that if their laptop is stolen we need to know ASAP to deactivate their PPTP account.

Thanks for your help guys.
tonydav67Author Commented:
Thanks again.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.