Advanced L2TP Configuration
Configuring the advanced options for an L2TP connection is very similar to working with a PPTP connection. You access those options by selecting Edit Configurations from the Configuration pop-up menu and the Configuration dialog box is very similar. You will, however, notice that there are two additional options for user authentication and that there is an additional section called machine authentication (see Figure 3).
Figure 3 L2TP Configuration dialog box
The two additional user authentication options are Kerberos and CryptoCard. Kerberos is an authentication method that is highly secure because it transfers a user’s password only once when the user logs into a computer on a network. Kerberos then uses time-based tokens to allow users access to network resources. For VPN access, Kerberos requires that the remote computer be bound to the VPN server’s directory domain (that is, that you can log into the computer using a network account). It also requires that users have a Mac OS X Server mobile account so that they can log in using a network password while the computer is off the network. That account information is used when establishing a VPN connection using Kerberos.
While offering advanced security, Kerberos VPN is most practical when Mac OS X Server is being used as the network’s VPN server. It can also be tricky to troubleshoot VPN connection errors when using Kerberos. As a rule, server administrators should be extremely proficient in Open Directory if considering Kerberos for VPN authentication.
CryptoCard is a physical token security solution similar to RSA’s SecurID. The difference is that the CryptoCard tokens are often used for many other functions beyond VPN access. They can be used with building security measures for door locks and to restrict access to workstations within a building among other purposes.
The Machine Authentication section is where some of the L2TP security advantages over PPTP come from. In addition to verifying a user’s account information when establishing a VPN connection, L2TP enables the server to verify that the user is connecting from a trusted computer (which means that a malicious user who obtains only a username and password or a SecurID and PIN cannot connect from a home computer). Machine authentication can be established by using security certificates stored on both the server and the computer that connects by VPN or by the use of a shared secret. A shared secret is a series of alphanumeric characters entered on both the computer and the server that must match to establish a connection.