Compulsory Tunneling with IAS
The benefit of using IAS with tunnels is that IAS can be configured to direct the traffic from the client through a tunnel to a particular location. Depending on the category of authenticating user, a tunnel can be created to different parts of the corporate network.
For information about tunneling and the use of tunneling in Windows 2000, see "Virtual Private Networking" in this book.
Tunnels can be created in different ways. The following sections describe the two main tunnel types: voluntary tunneling and compulsory tunneling.
A user or client computer can issue a VPN request to configure and create a voluntary tunnel. In this case, the user's computer is a tunnel endpoint and acts as the tunnel client. Voluntary tunneling occurs when a workstation or router uses tunneling client software to create a VPN connection to the target tunnel server. In order to accomplish this, the appropriate tunneling protocol must be installed on the client computer.
In a dial-up situation, the client must establish a dial-up connection to the internetwork before the client can set up a tunnel. This is the most common case. The best example of this is the dial-up Internet user, who must dial an ISP and obtain an Internet connection before a tunnel over the Internet can be created. Figure 8.7 shows a voluntary tunnel created between a dial-up user and a tunnel server.
Figure 8.7 Voluntary Tunnel Created by a Dial-Up User
Figure 8.7 shows IAS as it is used in an outsourced bulk dial scenario for voluntary tunneling. A dial-up client establishes a dial-up connection to an ISP. In the outsourced bulk, dial scenario, the dial-up client calls an ISP that is providing Internet access for all the employees of an organization. Based on the dial-up connection parameters, the NAS dialed by the dial-up client sends an Access-Request packet to a configured RADIUS proxy computer. The RADIUS proxy, based on the realm name in the User-Name attribute, forwards the Access-Request packet to the IAS server of the organization that is reachable on the Internet through a firewall. The organization IAS server authenticates and authorizes the connection attempt of the dial-up client and sends an Access-Accept packet back to the RADIUS proxy. The RADIUS proxy forwards the Access-Accept packet to the ISP NAS and the ISP NAS connects the dial-up client to the Internet.
After on the Internet, the dial-up client initiates a tunnel connection with the organization tunnel server on the Internet. Based on the tunnel connection parameters, the tunnel server sends an Access-Request packet to the organization IAS server. The organization IAS server authenticates and authorizes the connection attempt of the tunnel client and sends an Access-Accept packet back to the tunnel server. The tunnel server completes the tunnel creation and the tunnel client can now send packets to the organization intranet through the tunnel.
The authentication type and level of encryption might be different for the dial-up connection and the tunnel. For example, the dial-up connection to the ISP might use CHAP, but the tunnel might choose a more secure authentication type such as MS-CHAP v2 or EAP-TLS.
Compulsory tunneling is the creation of a secure tunnel by another computer or network device on the client computer's behalf. Compulsory tunnels are configured and created automatically for the user without their knowledge or intervention. With a compulsory tunnel, the user's computer is not a tunnel endpoint. Another device between the user's computer and the tunnel server is the tunnel endpoint, acting as the tunnel client. The dial-up access server dialed by the client computer is the tunnel endpoint, acting as the tunnel client.
A number of vendors that sell dial-up access servers have implemented the ability to create a tunnel on behalf of a dial-up client. The computer or network device providing the tunnel for the client computer is known as a Front End Processor (FEP) in PPTP, an L2TP Access Concentrator (LAC) in L2TP, or an IP Security Gateway in IPSec. For the purposes of this chapter, the term FEP is used to describe this functionality, regardless of the tunneling protocol. To carry out its function, the FEP must have the appropriate tunneling protocol installed and must be capable of establishing the tunnel when the client computer attempts a connection.
A corporation can contract with an ISP to deploy a nationwide set of FEPs. These FEPs can establish tunnels across the Internet to a tunnel server connected to the corporation's private network, thereby consolidating calls from geographically diverse locations into a single Internet connection at the corporate network.
Figure 8.8 shows the client computer placing a dial-up call to a tunneling-enabled NAS at the ISP, in order to authenticate against an IAS server on the other side of the tunnel.
Figure 8.8 Compulsory Tunnel Created by a Tunneling-Enabled NAS
Figure 8.8 shows IAS as it is used in an outsourced bulk dial scenario for compulsory tunneling.
A dial-up client establishes a dial-up connection to an ISP. In the outsourced bulk dial scenario, the dial-up client calls an ISP that is providing tunneled access across the Internet for all the employees of an organization. Based on the dial-up connection parameters, the NAS dialed by the dial-up client sends an Access-Request packet to a configured IAS server. The ISP IAS server authorizes the tunnel connection and sends back an Access-Accept packet with a series of tunnel attributes. If needed, the IAS NAS creates a tunnel to the organization tunnel server on the Internet.
Normally IAS provides both authentication and authorization. In this case, however, it is common for the ISP IAS server to provide authorization only. Because the dial-in client is performing authentication against the organization tunnel server, authentication against the ISP NAS is not necessary.
The ISP NAS then sends a PPP message to the dial-up client to restart the authentication process so that the dial-up user can be authenticated against the organization tunnel server. The dial-up client sends its authentication information to the IAS NAS, which encapsulates it and sends it through the tunnel to the tunnel server.
After the authentication credentials are received by the tunnel server, the tunnel server sends an Access-Request packet to the organization IAS server. The organization IAS server authenticates and authorizes the connection of the dial-up client to the tunnel server and sends an Access-Accept packet to the tunnel server. The tunnel server then completes the connection to the dial-up client.
All data that is sent by the dial-up client is automatically sent through the tunnel to the tunnel server by the ISP NAS.
This configuration is known as compulsory tunneling because the client is compelled to use the tunnel created by the FEP. After the initial connection is made, all network traffic to and from the client is automatically sent through the tunnel. IAS can be configured to instruct a FEP to tunnel different dial-up clients to different tunnel servers.
Unlike the separate tunnels created for each voluntary client, a compulsory tunnel between the FEP and tunnel server can be shared by multiple dial-up clients. When a second client dials into the access server (the FEP) to reach a destination for which a tunnel already exists, the data traffic for the new client is carried over the existing tunnel.
Using a RADIUS proxy in compulsory tunnels is not recommended. A proxy can decrypt a tunnel's password because it uses the shared secret between the proxy and IAS to encrypt the password.
The following RADIUS Attributes are used to carry the tunneling information from the IAS server to the NAS.
Used in authorization only:
Tunnel-Password (not for use with proxies)
Used in authorization and accounting:
Tunnel-Type (PPTP, L2TP, and so on)
Tunnel-Medium-Type (X.25, ATM, Frame Relay, IP, and so on)
Used for accounting only:
The Windows 2000 Routing and Remote Access service cannot be used as a FEP for compulsory tunneling.