Free Two Factor Authentication for RRAS/SSTP/PPTP/L2TP VPN's

Virtual Private Network site to site and from roaming users (Photo credit: Wikipedia)

Some people are die hard Cisco VPN guys. Believe me I know a few. Others are die hard any kind of appliance VPN guys. I however, am a server VPN type guy. By that I mean I prefer to use a VPN that doesn't require a third party client. For that reason I am a big fan of Microsoft's SSTP VPN which is a part of their Routing and Remote Access Service (RRAS) on Windows 2008 and newer.

One of the problems with RRAS is that out of the box there isn't a real method for using two factor authentication. By two factor authentication it means you need to know something and your need to have something in order to gain access to the VPN tunnel. There are products out there like RSA tokens, but they can be pretty expensive. I found an alternative though.

It's a free tool called RAS-SMS. What it does is integrates with your RRAS service and provides a secondary method of authentication. The second method is a text message to your phone number with a code. If you enter the password correctly for VPN, a random code is then sent to the phone number associated with your account. You must then enter the code to gain access. Cool right?

From their page:

RAS-SMS is an extension (dll) for the Microsoft VPN / PPTP server also known as Remote Access Service (RAS). RAS is a standard component of the Microsoft Windows Server family. RAS can be configured to use the Microsoft Internet Access Service (IAS), also a standard light weight component, not to be confused with ISA. By default RAS uses windows authentication directly when checking credentials. When configured for IAS, the authentication is relayed to IAS. IAS can be extended with extra authentication functions. This project, RAS-SMS, is about inserting such an extra authentication function based on the idea that users should enter randomly generated codes that were sent to their personal cell-phone number. Codes are only generated if users entered their credentials correctly.

If someone shares their password with an unauthorized user, you no longer have to worry about that person gaining access. They will not be able to get in without the phone. Likewise, if the phone is lost or stolen, you don't have to worry because nobody will have the password. Seems pretty slick to me, and it doesn't really cost any extra money to implement.

What kind of VPN person are you? Appliance or Server? Do you use two factor authentication? What do you use? Let us know in the comments.

Related articles

• Chapcrack and CloudCracker unlock MS-CHAPv2 based VPN Traffic
• Microsoft says don't use PPTP and MS-CHAP
• Microsoft warns of 'man-in-the-middle' VPN password hack
• Tools released at Defcon can crack widely used PPTP encryption in under a day