Link to home
Start Free TrialLog in
Avatar of Tony Davidson
Tony DavidsonFlag for Australia

asked on

PPTP and RADIUS - how secure?

After reading Schneier's article "Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)" (http://www.schneier.com/paper-pptpv2.html) I am reasonably comfortable using PPTP in our business subject to the following caviets:

* Complex passwords not based on dictionary words (even with the addition or changing of letters (e.g. l to 1 and e to 3).  We use a 30 character password generated by a password generator.

* MS-CHAPv1 is disabled on the firewall to allow no possibility of a Version Rollback attack

I have had a request to use Microsoft's RADIUS server at a branch to link to their VPN config, the reason being it will allow integration with Active Directory and common passwords.

Given that most users have pretty basic passwords, normally based on dictionary words, I have grave concerns about the security of this approach. But I'm not a RADIUS expert so I'm not sure if it provides additional security over and above that normally provided.

I'm looking for an answer to explain if RADIUS integrated with AD will require the 30 character passwords we currently use to provide the same level of security as what we currently have.

** Please, don't advise to use IPSec or SSL or another VPN - that's not what I'm asking in this question **

Thanks,
tony
Avatar of scwoa
scwoa
Flag of United States of America image

Tony,

According to RFC 2865, the length of the password can be up to 130 characters.

See page 26 or 27, section 5.2

http://www.ietf.org/rfc/rfc2865.txt 

If your Active directory password policy requires it, then Radius should do it.   Radius is just passing the user name \ password back to Active directory.
Also, I assume you have an account lockout policy in place.
Avatar of Tony Davidson

ASKER

I'm not sure I follow what you're saying.  What password should be 130 characters? I'm assuming you don't mean the users AD password?
Avatar of Rich Rumble
As you've said, the security is only as good as the passwords choosen for the current versions of M$ PPTP. The old one... well it was laughable: http://www.schneier.com/pptp-faq.html
Radius can be used for the authentication instead of the MS-CHAP or TLS (aka ssl), all very good authentication mechanisms. If your AD policy is 30 chars minimum, and you didn't use a different group policy for the VPN users or that office, then yes, 30 chars would be required for those users.

Newer vpn/tunneling protocols offer you more security, and using a pre-shared key or certificate will give you more security (in theory) than even a 30 char password. The certificate does the encryption, and the user's passwords are just for the authentication, allowing data to pass after the tunnel is established and encrypted using the cert/pre-shared key.
-rich

So if the user wants to keep their standard AD passwords (e.g. first son's name and age or something else pretty easy to work out with a dictionary attack) using Radius offers no benefit over using the same password as a standard PPTP password?
ASKER CERTIFIED SOLUTION
Avatar of scwoa
scwoa
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Okay, I think it's as I suspected which is unless they want to change their AD passwords to 30 character ones (e.g. of current pw:" 3XRJ4MjC5MC%oa%1B#!hiaeMsWiNUZ") then we should continue to not use Radius as obviously no one would want to type the pw in the example in every morning when thye login to the server. With the PPTP client setup we cache this for that user only. A small risk I feel and the staff are under instructions that if their laptop is stolen we need to know ASAP to deactivate their PPTP account.

Thanks for your help guys.
Thanks again.