Security

Windows 2000 supports several authentication protocols such as MS-CHAP, CHAP, and SPAP for dial-in access. Windows 2000 can be configured to support Extensible Authentication Protocol (EAP) if you want to use security devices to authenticate remote access users in conjunction with other security devices such as smart cards and certificates. EAP-transport layer security (TLS) allows users remote access by authenticating their identities using a combination of authentication vectors. When remote access users attempt to log on to a server that is using EAP-TLS, they are prompted to insert their smart card and enter their PIN during network logon authentication. If the users PIN and smart card credentials are valid, the user is logged on and granted rights for the appropriate network user account. For more information about EAP-TLS, see Internet Authentication Service in the Microsoft Windows 2000 Server Resource Kit Internetworking Guide .

The remote access logon process depends primarily on server configuration to enable logon. Windows 2000 Server includes Routing and Remote Access Services which can authenticate remote access network users. Routing and Remote Access supports smart card logon authentication using the EAP-TLS extension of the Point-to-Point Protocol (PPP).

For information about adding a smart card reader to your Windows 2000 Professional computer, see Windows 2000 Professional online documentation.

For more information about Routing and Remote Access, see Remote Access later in this chapter.