19. Distribute the card to the user for testing.
Using Smart Cards for Remote Access VPNs
The use of smart cards for local logons has met with limited, albeit recently growing, suc-cess. One reason for the limited acceptance is that local authentication traffic does not usu-ally pass over insecure public networks; therefore, the added cost and administrative effortrequired for a smart card implementation is not justified. For remote access users, however,authentication communications are vulnerable, and smart cards can provide needed extrasecurity.To use smart cards to log on to a remote access VPN server, the server must first beconfigured to enable it.This includes selecting a protocol, as discussed below. It alsoincludes obtaining a machine certificate for the VPN server.When the server is able toaccept smart card certificates, the client must be configured to send them.This meansattaching a smart card reader and establishing a VPN connection. If you view the Propertiesof the client’s VPN connection, you will notice a Networkingand a Securitytab. Forsmart card use, the type of VPN selected under the Networktab should be the Level 2Tunneling Protocol, or L2TP.The Security tab, shown in Figure 12.36, is a bit more com-plex.There are two options,Typicaland Advanced.Figure 12.36
Security Tab of the VPN Client’s Properties SheetChoose Advanced(custom settings)and click the Settingsbutton. Choose theUseExtensible Authentication Protocol (EAP) option and select Smart Card or othercertificate (encryption enabled)from the drop-down box. Click the Propertiesbutton,and the Smart Card or Other Certificatesdialog box appears as shown in Figure 12.37.Choose the Use my smart cardoption.Your configuration of the VPN client is nowcomplete.Figure 12.37
Smart Card or Other Certificate Properties SheetEnabling the Extensible Authentication Protocol (EAP)
on a Remote Access Server
The steps required to prepare a server that is already running the routing andremote access services (RRAS) to use smart card authentication are fairly straight-forward. First, from the RRAS console, display the properties sheet for the serverand proceed to the Security tab. Next, choose Windows Authentication andselect Authentication Methods. Choose the Extensible Authentication Protocol(EAP) option and select EAP Methods. Finally, choose the Smart Card or OtherCertificateoption.Configuring Remote Access Policiesis also relatively simple. You can create anew policy or edit the existing Allow Access If Dial-In Permission Is Enabledpolicy. After going into the policy’s property sheet, choose to Edit the profileandproceed to the Authenticationtab. Select EAP Methodsand click Addto choosethe Smart Card or Other Certificatesoption. Clicking Editbrings up the propertysheet for the option. To complete the edit, select the RRAS server’s fully qualifieddomain name (FQDN) in the Certificate Issued Tofield.Configuring & Implementing...
Using Smart Cards To Log On to a Terminal Server
Using smart cards to log on to a terminal server is inherently more secure than using pass-words, as we’ve discussed previously. Similar to using a smart card on a local workstation,using a smart card on a terminal client enables the server to verify your identity and giveyou appropriate access. Also, if you want the information contained in the card to be avail-able for the entire terminal session, perform the following steps:
Bạn đang xem 19. - MCSE EXAM 70 293 PLANNING AND MAINTAINING A WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE PHẦN 9 PPT
