Local and Remote Network Connections

You can configure your dial-up, virtual private network (VPN), and direct connections to enforce various levels of password authentication and data encryption. Authentication methods range from unencrypted to custom, such as the Extensible Authentication Protocol (EAP). EAP provides flexible support for a wide range of authentication methods, including smart cards, certificates, one-time passwords, and public keys. You can also specify the type of data encryption, depending on the type of authentication protocol (MS-CHAP or EAP-TLS) that you choose. Finally, if allowed by your system administrator, you can configure callback options to save telephone charges, and to increase dial-up security.

On the server to which you are connecting, remote access permissions on a Windows 2000 remote access server are granted based on the dial-in settings of your user account and remote access policies . Remote access policies are a set of conditions and connection settings that give network administrators more flexibility in granting remote access permissions and usage. If the settings of your connection do not match at least one of the remote access policies that apply to your connection, the connection attempt is rejected, regardless of your dial-in settings.

The network administrator can configure Windows 2000 user accounts and domains to provide security by forcing encrypted authentication and encrypted data for remote communications. For more information about Windows 2000 security, see Windows 2000 Server Help.

How Security Works at Connection

The following steps describe what happens during a call to a remote access server:

1. Your computer dials a remote access server.

2. Depending on the authentication methods you have chosen, one of the following happens:

If You Are Using PAP or SPAP

1. Your computer sends its password to the server.

2. The server checks the account credentials against the user database.

If You Are Using CHAP or MS-CHAP

1. The server sends a challenge to your computer.

2. Your computer sends an encrypted response to the server.

3. The server checks the response against the user database.

If You Are Using MS-CHAP v2

1. The server sends a challenge to your computer.

2. Your computer sends an encrypted response to the server.

3. The server checks the response against the user database, and sends back an authentication response.

4. Your computer verifies the authentication response.

If You Are Using Certificate-based Authentication

1. The server requests credentials from your computer, and sends its own certificate.

2. If you configured your connection to Validate server certificate , it is validated. If not, this step is skipped.

3. Your computer presents its certificate to the server.

4. The server verifies that the certificate is valid, and that it has not been revoked.

5. If the account is valid, the server checks for remote access permission.

6. If remote access permissions have been granted, the server accepts your connection. For a Windows 2000 server, permission is granted based on the remote access permission of the user account and the remote access policies.
   If callback is enabled, the server calls your computer back and repeats steps 2 through 4.

Note

If you are using an L2TP-enabled VPN, IP Security (IPSec) authenticates your computer account and provides encryption before any of these steps take place. For more information about IPSec, see Data Encryption later in this chapter.