Name the various methods of authentication available in the Windows 2000 operating system
Password Authentication Protocol
Password Authentication Protocol (PAP) passes a password as a string from the user's computer to the NAS device. When the NAS forwards the password, it is encrypted using the RADIUS shared secret as an encryption key.
Challenge Handshake Authentication Protocol
Challenge Handshake Authentication Protocol (CHAP) is designed to address the concern of passing passwords in plaintext. By using CHAP, the NAS sends a random number challenge to the user's computer. The challenge and the user's password are then hashed by using MD5. The client computer then sends the hash as a response to the NAS challenge and the NAS forwards both the challenge and response in the RADIUS Access-Request packet.
Microsoft Challenge Handshake Authentication Protocol
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is a variant of CHAP that does not require a plaintext version of the password on the authenticating server. In MS-CHAP the challenge response is calculated with an MD4 hashed version of the password and the NAS challenge.
Microsoft Challenge Handshake Authentication Protocol Version 2
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) provides mutual authentication, stronger initial data encryption keys, and different encryption keys for sending and receiving. For VPN connections, Windows 2000 servers offer MS-CHAP v2 before offering the legacy MS-CHAP. Updated Windows clients accept MS-CHAP v2 when it is offered.
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is an extension to the Point-to-Point protocol (PPP) that works with dial-up, PPTP, and L2TP clients. EAP allows the addition of new authentication methods known as EAP types. Both the dial-in client and the remote access server must support the same EAP type for successful authentication to occur.
- EAP-MD5 CHAP
- EAP-TLS
- EAP-RADIUS
Guest Access for PPP Users
Guest access is the ability to log on to a domain without a user name and/or a password. Both Routing and Remote Access service and IAS must be configured to support unauthenticated access.
DNIS Authorization
Dialed Number Identification Service (DNIS) authorization is the authorization of a connection attempt based on the number called. This attribute is referred to as Called Station ID. DNIS is used by standard telecommunication companies. This service returns the number called to the called party. Based on the Called Station ID attribute, IAS can deliver different services to dial-up/remote access users.
ANI Authorization
ANI authorization is based on the number the user called from. This attribute is referred to as Calling Station ID, or Caller ID. Based on the Calling-Station-ID attribute, IAS can deliver different services to dial-up/remote access users.
Post a Comment