How security works at connection

The following steps describe what happens during a call to a remote access server:

1. The remote access client computer calls a remote access server.
2. Depending on the authentication methods that have been negotiated, one of the following happens:
• If you are using PAP or SPAP:
• The client sends its user name and password to the server.
• The server checks the account credentials against the user database.
• If you are using CHAP or MS-CHAP:
• The server sends a challenge to the client.
• The client sends an encrypted response to the server.
• The server checks the response against the user database.
• If you are using MS-CHAP v2:
• The server sends a challenge to the client.
• The client sends an encrypted response and a challenge to the server.
• The server checks the encrypted response of the client against the user database and sends the client its own encrypted response.
• The client verifies the encrypted response of the server.
• If you are using certificate-based authentication:
• The server sends its computer certificate to the client.
• If the client is configured for certificate-based authentication, the client validates the server certificate.
• The client sends its user certificate to the server.
• The server verifies that the user certificate is valid and has not been revoked.
3. If the connection attempt is both authenticated (the user credentials are valid, the user account is enabled and not locked out, and the connection is occurring within the allowed logon hours) and authorized (for incoming connections, the user account has remote access permission), the server accepts the remote access connection.

If callback is enabled, the server calls your computer back and repeats steps 2 through 3.

Notes

• For the Routing and Remote Access service, authorization of the connection is determined by the dial-in properties of the user account and remote access policies. Remote access policies are a set of conditions and connection settings that give network administrators more flexibility in granting remote access permissions and usage. If the settings of the connection do not match at least one of the remote access policies that apply to your connection, the connection attempt is rejected, regardless of the dial-in properties of the user account.
• Network Connections authentication methods control access to your network, not to resources on the network. Once you are connected to a network, resource access control is managed through access control lists (ACLs) in various ways: Local Users and Groups, Active Directory, Group Policy, file and printer sharing, and so on.
• Authentication methods are designed for remote computing environments where the computer that is dialing in does not have access to the network until credentials, such as user name and password, are validated.
• For information about configuring security options for your connections, such as identity authentication protocols and data encryption settings, see Secure network or dial-up connections.