Remote access (RAS) refers to communication with a remote host through a
dial-up (and recently, a wireless) connection. Typically, clients connect to a
remote access server to gain access to remote resources or a remote network. The
necessary functions of a RAS solution are two-fold:
- Establish a solid connection
- Authenticate the user
The two main protocols that have been used to establish a dial-up connection
|The Serial Line Interface Protocol (SLIP)
||SLIP is an older remote access protocol used to establish a remote
connection. SLIP was implemented on UNIX dial-in servers to connect to a TCP/IP
network through phone lines. It did not support encryption or the use of DHCP to
automatically assign client IP addresses. For this reason, the following
transmission parameters usually had to be configured manually:
- IP addresses
- Data compression
- Maximum transmission unit (MTU)
- Maximum receive unit (MRU)
|Point-to-Point Protocol (PPP)
||PPP was designed as a replacement for SLIP. It is now the most widely-used
protocol service for establishing connections. Some important things to know
about PPP are:
- It is a wide area network protocol that allows any system to contact another
system through a serial link with a direct serial connection or through a modem.
- It can negotiate communication parameters including IP addressing,
compression, and encryption.
- It supports multiple protocol suites through Network Control Programs
(NCP) such as TCP/IP, IPX/SPX, and AppleTalk.
After a connection has been established, authentication credentials are
submitted to the authentication server by the network access server
(NAS). The authentication server then validates or denies the credentials. When
using dial-up connections, implement the following protocols to authenticate
|Password Authentication Protocol (PAP)
||The Password Authentication Protocol (PAP) is the weakest form of
- The username and password are sent in clear text for authentication.
- The password can be easily intercepted through packet sniffing and viewed
with a simple traffic analyzer.
- Use only when no other form of authentication is supported.
- PAP protocols are supported by multiple platforms, including Microsoft and
|Shiva Password Authentication Protocol (SPAP)
||The Shiva Password Authentication Protocol (SPAP) is used to connect
to a Shiva LAN Rover.
- The password used for authentication is encrypted.
- Password encryption is easily reversible.
|Challenge Handshake Authentication Protocol (CHAP)
||Challenge Handshake Authentication Protocol (CHAP) encrypts both the
password and the username. CHAP:
- Uses a three-way handshake (challenge/response).
- Periodically verifies the identity of a peer using a three-way handshake.
- CHAP is the only remote access authentication protocol that periodically and
transparently re-authenticates during a logon session by default.
- Uses MD-5 hashing of the shared secret for authentication.
|Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP
||Microsoft Challenge Handshake Authentication Protocol version 1
(MS-CHAP v1) is Microsoft's implementation of CHAP.
- MS-CHAP v1 uses a three-way handshake (challenge/response).
- The server authenticates the client (the client cannot authenticate the
- The secret used for authentication is encrypted.
|Microsoft Challenge Handshake Authentication Protocol version2 (MS-CHAP
||Similar to MS-CHAP v1, MS-CHAP v2, uses a challenge/response mechanism for
authentication. MS-CHAP v2 allows both the client and the server to authenticate
each other (mutual authentication). |
|Extensible Authentication Protocol (EAP)
||Extensible Authentication Protocol (EAP) is a set of interface
standards that allows you to use various authentication methods.
- EAP supports multiple authentication methods (smartcards, biometrics, and
- Using EAP, the client and server negotiate the characteristics of
- EAP is an extension of the Point to Point Protocol (PPP).
- Protocols enabled by EAP are:
- Transport Layer Security (TLS) is a very strong form of mutual
authentication using digital certificates.
- Tunneled Transport Layer Security (TTLS) allows for a minimum of a digital
certificate on the server side and passwords on the client side. This can be
upgraded to having digital certificates on both sides.
|Protected Extensible Authentication Protocol (PEAP)
||Protected Extensible Authentication Protocol (PEAP) provides
authentication, including passwords, to wireless LAN clients. When using PEAP,
select one of the following two options:
- PEAP-EAP-TLS. This method uses certificates (either on the local system or
on a smart card).
- PEAP-MS-CHAP v2. This method uses certificates on the server, but passwords
on the client. Use this method when the client does not have a
|Light-weight Extensible Authentication Protocol (LEAP)
||Light-weight Extensible Authentication Protocol (LEAP) is a
Cisco-proprietary technology. LEAP:
- Requires a Cisco RADIUS server and Cisco software on the client's side.
- Requires the minimum of a digital certificate on the server side and
passwords and Cisco drivers on the client side. This can be upgraded to having
digital certificates on both sides.
Additional features that can be used with remote access to reduce cost and
improve performance are:
||With caller ID, the remote access server uses caller ID to verify the
phone number of the remote access client. With caller ID, the server can allow
access only to approved calling numbers.|
||With callback, the remote access clients connects briefly to the
remote access server and authenticates. The call is then terminated, and the
server calls the client back to establish the remote session. The server can use
the following criteria in calling back the client:
Callback can be used to increase security or to reduce
long-distance charges for remote clients.
- The server calls back to a specific number provided by the client.
- The server calls back to the number used by the client to dial in (requires