PPTP server

[Pete Davis]

David,


Unfortunately, PPTP has both pros and cons. One of the major pros,
as you mentioned, is the free client either integrated with Windows or available
as a DUN upgrade (depending on which version you have). One of the cons is
that something like NT authentication can only be done if you are willing to
install a MPPE/MSCHAP compatible RADIUS server on a Primary or Backup domain
controller. So, you are able to do NT authentication, but only with specific
RADIUS servers, installed on a PDC/BDC.

Out at VPNcon next week (March 1) in San Jose, this is the topic
of my discussion (Remote Access Protocols and Authentication Options for VPNs).
I find that this in particular causes lots of confusion out there.

As far as the Internal user database, this is more of an artifical limitation
than anything else. We didn't really want anybody to use an Internal database
to build a significant user authentication system since then the next question
would be "How do I share this database across multiple servers", etc, and
before you know it, the device turns into an authentication server.

Best Regards,
-pete

On Fri, Feb 25, 2000 at 11:26:30AM -0800, David Gillett wrote:
>   The key attraction of PPTP (IMHO...) is that you get a free client in
> every 32-bit Windows.  You'll only need separate PPTP clients if you need to
> support other platforms.
>   Part of the reason we got an Altiga in to test was because it advertised
> PPTP support.  It turned out -- this may have changed -- that it can't do NT
> domain authentication for PPTP connections, so unless you can dedicate a
> machine to serve it RADIUS (or TACACS, I think), your user account database
> for PPTP is limited to what the Altiga can hold in memory -- 100 accounts.
>   That might be sufficient for you.  It wasn't for us, but we were
> sufficiently pleased with the Altiga IPSEC client (and its license/pricing
> model, which I hope Cisco leaves intact!) to adopt that instead of PPTP.

VPN is sponsored by SecurityFocus.COM