|
Home > Archive > 70-216 > December 2003 > Passport book?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Tech Ranger 2003-12-14, 9:08 am |
| According to the passport book a user needs to match only one of the conditions of a RAS policy to have that policy apply. I thought that a user needs to match "ALL" of the conditions of a RAS policy to have it apply. Also, according to this book, MSCHAP v1 sends encrypted passwords over the network. I thought that all challenge response systems do not transmit passwords, but rather use the password as a key to encrypt a message thereby doing POP (proof of possession). Does anyone have any clarification on these issues? | |
| em_ar_ducks 2003-12-14, 3:38 pm |
| When evaluating policies, you have to remember that the conditions are evaluated first, so if the conditions are met, then access will only be granted if everything else applies associated with that condition and any other policies will not even be considered.
That is why policies must be so carefully created. | |
| Tech Ranger 2003-12-14, 6:14 pm |
| quote:
Originally posted by em_ar_ducks
When evaluating policies, you have to remember that the conditions are evaluated first, so if the conditions are met, then access will only be granted if everything else applies associated with that condition and any other policies will not even be considered.
That is why policies must be so carefully created.
Thank you, but that does not address my questions. | |
| curiousgeorge 2003-12-14, 8:06 pm |
| I'm not sure how the book worded it, but they meant to say a user has to match only the conditions of one RAS policy. After it matches the conditions, that particular policy will determine whether the connection is accepted or denied. No other policies will be checked.
What they meant about authentication is MS CHAP v1 uses encryption.
The MS-CHAPv1 challenge/response mechanism:
Client requests a login challenge from the Server.
The Server sends back an 8-byte random challenge.
The Client uses the LAN Manager hash of its password to derive three DES keys. Each of these keys is used to encrypt the challenge. All three encrypted blocks are concatenated into a 24-byte reply. The Client creates a second 24-byte reply using the Windows NT hash and the same procedure.
The server uses the hashes of the Client's password, stored in a database, to decrypt the replies. If the decrypted blocks match the challenge, the authentication completes and sends a "success" packet back to the client.
It might have been confusing how they worded those two concepts. | |
| Tech Ranger 2003-12-14, 8:32 pm |
| Page 236:
"Multiple conditions can be configured for a single remote access policy, but the conditions are processed in a top-down order and the remote user is only required to meet one condition. Once a user has met a single condition in the list, the other two components of the policy are then evaluated."
Page 242:
"MS-CHAP is the first version of the authentication protocol and uses a challenge-response authentication process that encrypts the responses. The security weakness in this implementation is that the user's password is sent across the network in an encrypted state during authentication negotiations, allowing users sniffing the network to capture the encrypted password and perform a brute-force attack against it to decode and obtain the password." | |
| em_ar_ducks 2003-12-14, 10:51 pm |
| You are correct, all conditions of a single policy (if it has multiple conditions) must match for further processing of that policy. For control to pass to the next policy only the first condition listed is evaluated. The book is a bit off in explaining the overall process.
RRAS does things at multiple levels. First there is the listing of all policies. This list should normally have only one policy created by default (default policy) which essentially denies all access. You have to create additional policies to allow access and this is when the situation gets interesting.
When multiple policies exist, each policy is evaluated from the top down, as soon as one condition of a policy matches (the top one), that policy alone will determine access.
Each policy is made up of three parts:
Conditions, permissions, profile.
The conditions available within a policy are processed like "and" statements, if multiple conditions are listed. As soon as all of the listed conditions are met, the remaining two elements of the policy will be evaluated and that policy is in control, if the conditions after the first in the list do not match then access is essentially denied.
The tricky part is that the first condition of the policy must match, or none of the remaining conditions that follow will be "anded" into the evaluation.
Page 236 gives you a screen shot of the policy configuration. A single condition for that policy is currently listed, if other conditions were listed then they would be processed from the top down until all match.
The permissions of the policy are either grant or deny (as shown in the screen capture on page 236) therefore as soon as all conditions match, that permission will be applied. If 3 conditions were listed then each condition would have to match in turn before the permission would be applied.
Profiles are evaluated last if access is granted, which in some circumstances will result in denial also.
The end result is that you could have a policy that denies all access (permission) with very broad conditions (like the default policy). This policy should appear last in the RRAS policy listing. Any policies granting access should be created with much more narrow conditions (usually only one per policy when possible) and they would be listed prior to the default policy so that they would be looked at first, in order, top to bottom.
The passport book is probably one of the weaker references for understanding RRAS and policies.
Curiousgeorge often cites the Microsoft Windows 2000 System Administrators Guide as a good study reference. I couldn't agree more with him on that point. I think it does a more thorough job of explaining RRAS policies and is one of the better all around references to keep handy.
This is one of those areas that really require hands-on experience to master, and it is one of those areas that is likely to show up on the exam several times.
As far as getting into the details of CHAP, I admit that I can't help much there other than to say that most of these protocols evolved pre-IPSEC and pre-vpn, so they work a bit more primitively. Don't confuse these mechanisms with the more secure protocols available which work more closely to what you understand.
Hopefully, someone else will chime in with a good reference that can help. |
|
|
|
|