Organizations spend very little time choosing the most appropriate authentication protocol to use with their VPN (Virtual Private Network) connections. In many cases, the lack of knowledge about the differences between the various authentication protocols is the reason a selection is not made. In other cases, the desire for simplicity is the reason heightened security is not chosen as part of the organization’s authentication protocol decisions. Whatever the case, we make the following suggestions to help you in selecting the best authentication protocol for VPN connections:
1) Using the EAP (Extensible Authentication Protocol) or PEAP (Protected Extensible Authentication Protocol) authentication protocol for PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol), and SSTP (Secure Socket Tunneling Protocol) connections is highly recommended if the following conditions exist in an organization. If a smart card will be used, or if a certificate infrastructure that issues user certificates exists, then EAP is the best and most secure option. Note that EAP is supported only by VPN clients running Windows XP, Windows 2000 client, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008.
2) Use PEAP with EAP-MS-CHAP v2 (Extensible Authentication Protocol- Microsoft Challenge Handshake Authentication Protocol version 2) as a method of easing the deployment burden. In this configuration, certificates are required only for the VPN server infrastructure and not for the clients. However, the key generation is done using Transport Level Security (TLS) with mutual authentication for greatly enhanced security.
3) Use MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) and enforce strong passwords using Group Policy if you must use a password-based authentication protocol. Although not as strong of a security protocol as PEAP or EAP, MS-CHAP v2 is supported by computers running Windows Server 2008, Windows Server 2003, Windows 2000 Server, Windows Vista, Windows XP, Windows 2000 client, Windows NT 4.0 with Service Pack 4 and higher, Windows Me, Windows 98, and Windows 95 with the Windows Dial-Up Networking 1.3 or higher Performance and Security Update.