In light of last month’s announcement by Moxie Marlinspike and David Hulton that they developed a method for decrypting Windows VPN traffic in under 24 hours, it is now important to stop using MS-CHAPv2 as a means of authenticating VPN passwords.
There is a relatively simple fix for this. Microsoft VPN servers have the ability to authenticate passwords using another protocol called PEAP, also known as PEAP-EAP-MSCHAPv2. The only reason one might avoid using PEAP in the first place is that the Microsoft documentation is confusing and describes a requirement for Public Key Infrastructure (PKI) deployment. The PKI as described in Deploying Remote Access VPNs requires anywhere from one to three servers just to issue certificates. However, it only specifies the PKI requirement for a slightly different protocol called EAP-TLS.
To be clear, PEAP does not require a full-blown PKI or even an internal Certificate Authority. You can, in fact, use the same certificate that has been, or would be, issued to a web server for SSL encryption. There is no reason to add a second certificate just for a VPN server. This also means there is no investment required in PKI if a free certificate issuer is used, such as startssl.com.
Below is a brief tutorial for configuring an existing RRAS installation with PEAP-MS-CHAPv2.
Step 1 – Enable EAP
If you are setting up a new VPN server, an important step is adding the first Remote Access Policy to allow incoming connections. During this procedure, one of the wizard pages is titled Authentication Methods, and it has only MS-CHAPv2 enabled by default.
Turn on the EAP option and make sure PEAP is the selected Type. Turn off MS-CHAPv2 if you have no need for multiple protocols.
Click the Configure button to reach the Protected EAP Properties dialog box.
The same thing can be done to an existing policy with just a few more clicks.
Double-click on the applicable Remote Access Policy to view its properties.
Click the Edit Profile button.
Click the Authentication tab in the Edit Dial-in Profile dialog box.
Click the EAP Methods button.
Click the Add button and select PEAP from the list of authentication methods.
Click the Edit button to reach the Protected EAP Properties dialog box.
Protip, suggested by Matze in the comments: It is possible to disable EAP at the RRAS server level, which could cause a client authentication error or similar problems with Remote Access Policies. Make sure EAP is enabled both for the server and for the appropriate policy.
Step 2 – Verify the PEAP Settings
At this point, you should be done with the server configuration!
When the Protected EAP Properties dialog box opens, it should automatically select the first available server authentication certificate. This might be a certificate that was previously installed on the server (e.g. through IIS), or a certificate that was automatically requested from an internal Certificate Authority.
Also selected automatically should be the EAP Type described as “Secured password (EAP-MSCHAP v2)”.
Simply click the OK button after verifying the information above.
Step 3 – Configuring Clients
The other half of the PEAP setup involves a change to the Windows VPN client. By default, the New Connection Wizard only enables MS-CHAP and MS-CHAPv2. This will no longer work if MS-CHAPv2 has been disabled on the server.
In the VPN connection properties, click on the Security tab.
Select the Advanced option, and then click the Settings button.
Select the Use Extensible Authentication Protocol (EAP) option.
Select PEAP instead of the default Smart Card option in the drop down box.
Click the Properties button.
Scroll through the list of Trusted Root Certification Authorities, find the root CA that matches the root of your server certificate, and select it.
Verify the authentication method is set to “Secured password (EAP-MSCHAP v2)”.
If appropriate, click the Configure button to enable automatic login to the VPN with the credentials of the user account at the client computer. Otherwise, the VPN client will prompt the user to log in when connecting to the VPN.
Step 4 – Trusting the Server
The first time each client connects to the new PEAP server, the user will be presented with the server’s authentication certificate and will be asked to verify that the correct server was contacted. After saving this choice, the client will automatically perform this verification at the start of each connection without bothering the user. Note, this feature does not exist in MS-CHAPv2. It is an additional security measure that prevents impersonation of the server.
If you are using the rasdial command or a VPN script such as Windows VPN Keep Alive then keep in mind you must make one manual connection to the PEAP server, as in Step 4 above. The rasdial command will not connect to an untrusted server. An alternative configuration is to use the “Do not prompt user to authorize new servers or trusted certification authorities” option, which I have not yet tested with rasdial. My understanding is that this will force the client to always trust certain certificates, which may be preferable to asking the end user to perform authorization on their own.
Apple’s iPad and similar products are not compatible with PEAP. My recommendation is to not use those products in a security sensitive environment until a solution is available.
The Windows 2003 Connection Manager Administration Kit (CMAK) is not compatible with PEAP. It may be necessary to obtain a newer version of CMAK if you need to create VPN service profiles.