Remote Access Authentication Protocols

Applies To: Windows Server 2008 R2

Remote access in this version of Windows supports the remote access authentication protocols listed in the following table. They are listed in order of decreasing security. We recommend that you use Extensible Authentication Protocol (EAP) and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2), and avoid the use of Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP).

Protocol Description Security Level

EAP

Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types.

EAP offers the strongest security by providing the most flexibility in authentication variations. For more information, see EAP (https://go.microsoft.com/fwlink/?linkid=140608).

MS-CHAP v2

Supports two-way mutual authentication. The remote access client receives verification that the remote access server that it is dialing in to has access to the user’s password.

MS-CHAP v2 provides stronger security than CHAP. For more information, see MS-CHAP v2 (https://go.microsoft.com/fwlink/?linkid=140609).

CHAP

Uses the Message Digest 5 (MD5) hashing scheme to encrypt the response.

CHAP is an improvement over PAP, in that the password is not sent over the PPP link. CHAP requires a plaintext version of the password to validate the challenge response. CHAP does not protect against remote server impersonation. For more information, see CHAP (https://go.microsoft.com/fwlink/?linkid=140610).

PAP

Uses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation.

PAP is the least secure authentication protocol. It does not protect against replay attacks, remote client impersonation, or remote server impersonation. For more information, seePAP (https://go.microsoft.com/fwlink/?linkid=140611).

Unauthenticated access

RRAS also supports unauthenticated access, which means that user credentials (a user name and password) are not required. There are some situations in which unauthenticated access is useful. For more information, see Unauthenticated Access (https://go.microsoft.com/fwlink/?linkid=73649).

Security Note
When you enable unauthenticated access, remote access users are connected without sending user credentials. An unauthenticated remote access client does not negotiate the use of a common authentication protocol during the connection establishment process and does not send a user name or password.

Unauthenticated access with remote access clients can occur when the authentication protocols configured by the remote access client do not match those configured on the remote access server. In this case, the use of a common authentication protocol is not negotiated and the remote access client does not send a user name and password.

Additional references