Hi,
I tried to get a clear and hands-on understanding of the following concepts : VPN, EAP, NPS, RADIUS, PKI, IPSEC, Certificates. Then, I decided to put them together and to use some examples found in the internet for building a versatile VPN : a VPN configuration which could work with IKEv2, SSTP, PPTP or L2TP/IPSEC. I configured the 4 following 2008R2 virtual machine servers : DC1 (domain controller), PKI1 (AD CS role), VPN1 (NPSAS/RRAS role), NPS1 (NPSAS/RRAS role). I also configured CLI1 (Windows 7 client) for connecting to the VPN1.
The 4 servers are connected to the same domain ; but the CLI1 is not connected to the domain. I also installed two cerficates on VPN1 with respectively the following Intended purposes : Server Authentication for SSTP and Server Authentication + IP Security IKE Intermediate for IKEv2).
I tried this configuration with a separate RADIUS server (NPS1) and without it (by configuration NPS on VPN1 and shutting down NPS1). In any of the two configurations, I enabled NPS's Network Policies and added EAP-MSCHAP v2 in the Constraints tab's EAP Types. I also installed the CA root certificate in CLI1's Trusted Root Certification Authorities store.
If I set the connection to "Automatic" on CL1, the connection enables IKEv2 and works. If I force the client to connect with PPTP, it also works. L2TP/IPSEC and SSTP did not work (even if I explicitly select the SSTP certificate on the Security Properties of RRAS on VPN1).
Questions :
1) Is it possible to make that multi-protocol VPN work ? What I did wrong ?
2) When an NPS Netork Policies are configured locally on the VPN1 server (Local NPS). Could we say that it is the same functionnalities as a RADIUS server, but configured locally ?
3) Is EAP a feature required by RADIUS and NPS ?
4) What is the difference between EAP-MSCHAP v2 and MSCHAP v2 ?
5) What is the difference between Microsoft PEAP and Microsoft EAP-MSCHAP v2 ?
Thanks in advance for any help !
I tried to get a clear and hands-on understanding of the following concepts : VPN, EAP, NPS, RADIUS, PKI, IPSEC, Certificates. Then, I decided to put them together and to use some examples found in the internet for building a versatile VPN : a VPN configuration which could work with IKEv2, SSTP, PPTP or L2TP/IPSEC. I configured the 4 following 2008R2 virtual machine servers : DC1 (domain controller), PKI1 (AD CS role), VPN1 (NPSAS/RRAS role), NPS1 (NPSAS/RRAS role). I also configured CLI1 (Windows 7 client) for connecting to the VPN1.
The 4 servers are connected to the same domain ; but the CLI1 is not connected to the domain. I also installed two cerficates on VPN1 with respectively the following Intended purposes : Server Authentication for SSTP and Server Authentication + IP Security IKE Intermediate for IKEv2).
I tried this configuration with a separate RADIUS server (NPS1) and without it (by configuration NPS on VPN1 and shutting down NPS1). In any of the two configurations, I enabled NPS's Network Policies and added EAP-MSCHAP v2 in the Constraints tab's EAP Types. I also installed the CA root certificate in CLI1's Trusted Root Certification Authorities store.
If I set the connection to "Automatic" on CL1, the connection enables IKEv2 and works. If I force the client to connect with PPTP, it also works. L2TP/IPSEC and SSTP did not work (even if I explicitly select the SSTP certificate on the Security Properties of RRAS on VPN1).
Questions :
1) Is it possible to make that multi-protocol VPN work ? What I did wrong ?
2) When an NPS Netork Policies are configured locally on the VPN1 server (Local NPS). Could we say that it is the same functionnalities as a RADIUS server, but configured locally ?
3) Is EAP a feature required by RADIUS and NPS ?
4) What is the difference between EAP-MSCHAP v2 and MSCHAP v2 ?
5) What is the difference between Microsoft PEAP and Microsoft EAP-MSCHAP v2 ?
Thanks in advance for any help !