PEAP-MS-CHAP v2

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Protected Extensible Authentication Protocol (PEAP) is a member of the family of Extensible Authentication Protocol (EAP) protocols. PEAP uses Transport Layer Security (TLS) to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as an Internet Authentication Service (IAS) or Remote Authentication Dial-In User Service (RADIUS) server. PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-MS-CHAP v2, that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for 802.1X wireless client computers, but is not supported for virtual private network (VPN) or other remote access clients.

PEAP authentication process

There are two stages in the PEAP authentication process between PEAP client and authenticator. The first stage sets up a secure channel between the PEAP client and the authenticating server. The second stage provides EAP authentication between the EAP client and authenticator.

PEAP stage one: TLS encrypted channel

The wireless client associates with a wireless access point. An IEEE 802.11-based association provides an Open System or Shared Key authentication before a secure association is created between the client and access point. After the IEEE 802.11-based association is successfully established between the client and access point, the TLS session is negotiated with the access point. After authentication is successfully completed between the wireless client and the server (for example, an IAS server), the TLS session is negotiated between them. The key that is derived during this negotiation is used to encrypt all subsequent communication.

PEAP stage two: EAP-authenticated communication

Complete EAP communication, including EAP negotiation, occurs inside the TLS channel created by PEAP during the first stage of the PEAP authentication process. The IAS server authenticates the user or the client computer with the method that is determined by the EAP type and selected for use within PEAP. For deployments of WPS technology, EAP-MS-CHAP v2 is the authentication type used within PEAP. The access point only forwards messages between wireless client and RADIUS server—the access point (or a person monitoring it) cannot decrypt these messages because it is not the TLS end point.

Packet sequence for a successful authentication attempt with valid credentials

After PEAP stage one occurs and the TLS channel is created between the IAS server and the 802.1X wireless client, for a successful authentication attempt where the user has supplied valid password-based credentials using WPS technology with PEAP-MS-CHAP v2, the RADIUS message sequence is:

  1. The IAS server sends an identity request message to the client: EAP-Request/Identity.

  2. The client responds with an identity response message: EAP-Response/Identity.

  3. The IAS server sends an MS-CHAP v2 challenge message: EAP-Request/EAP-Type=EAP MS-CHAP-V2 (Challenge).

  4. The client responds with an MS-CHAP v2 challenge and response: EAP-Response/EAP-Type=EAP-MS-CHAP-V2 (Response).

  5. The IAS server sends back an MS-CHAP v2 success packet when the server has successfully authenticated the client: EAP-Request/EAP-Type=EAP-MS-CHAP-V2 (Success).

  6. The client responds with an MS-CHAP v2 success packet when the client has successfully authenticated the server: EAP-Response/EAP-Type=EAP-MS-CHAP-V2 (Success).

  7. The IAS server sends an EAP-TLV indicating successful authentication.

  8. The client responds with an EAP-TLV status success message.

  9. The server completes authentication and sends an EAP-Success message using plaintext. If VLANs are deployed for client isolation, the VLAN attributes are included in this message.

Packet sequence for a successful guest authentication

After PEAP stage one occurs and the TLS channel is created between the IAS server and the 802.1X wireless client, for the case of an authentication failure being converted to a successful guest authentication using WPS technology with PEAP-MS-CHAP v2, the RADIUS message sequence is:

  1. The IAS server sends an identity request message to the client: EAP-Request/Identity.

  2. The client responds with an identity response message: EAP-Response/Identity.

  3. The IAS server sends an MS-CHAP v2 challenge message: EAP-Request/EAP-Type=EAP MS-CHAP-V2 (Challenge).

  4. The client responds with an MS-CHAP v2 challenge and response: EAP-Response/EAP-Type=EAP-MS-CHAP-V2 (Response). The authentication fails and the WPS extension DLL on the server determines that the user authentication should succeed with limited access.

  5. The IAS server sends back an MS-CHAP v2 success packet when the server has successfully authenticated the client: EAP-Request/EAP-Type=EAP-MS-CHAP-V2 (Success).

  6. The client responds with an MS-CHAP v2 success packet when the client has successfully authenticated the server: EAP-Response/EAP-Type=EAP-MS-CHAP-V2 (Success).

  7. The IAS server sends an EAP-TLV indicating successful authentication, as well as other TLVs, including a URL PEAP-TLV that provides the client with the URL of the provisioning server (or a URL to change password).

  8. The client responds with an EAP-TLV status success message.

  9. The server completes authentication and sends an EAP-Success message using plaintext. If VLANs are deployed for client isolation, the VLAN attributes are included in this message.

Packet sequence for other WPS cases (disabled, expired, and unknown accounts)

After PEAP stage one occurs and the TLS channel is created between the IAS server and the 802.1X wireless client, for other WPS cases (disabled, expired and unknown accounts) with PEAP-MS-CHAP v2, the RADIUS message sequence is:

  1. The IAS server sends an identity request message to the client: EAP-Request/Identity.

  2. The client responds with an identity response message: EAP-Response/Identity.

  3. The IAS server discovers that the account is disabled, expired, or unknown. The WPS extension DLL on the server decides that the user authentication should succeed with limited access.

  4. The IAS server sends an EAP-TLV indicating successful authentication, as well as other TLVs, including a URL PEAP-TLV that provides the client with the URL of the provisioning server.

  5. The client responds with an EAP-TLV status success message.

  6. The server completes authentication and sends an EAP-Success message using plaintext. If VLANs are deployed for client isolation, the VLAN attributes are included in this message.

For more information about PEAP, see "Protected EAP Protocol (PEAP)" at https://go.microsoft.com/fwlink/?LinkId=41301.

For more information about EAP-MS-CHAP v2, see “Microsoft EAP CHAP Extensions” at https://go.microsoft.com/fwlink/?LinkId=41306.