Share via


MS-CHAP v2

Applies To: Windows 7, Windows Server 2008 R2

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a one-way encrypted password, mutual authentication process that works as follows:

  1. The authenticator (the server running RRAS or NPS) sends a challenge to the remote access client that consists of a session identifier and an arbitrary challenge string.

  2. The remote access client sends a response that contains:

    • The user name.

    • An arbitrary peer challenge string.

    • A one-way encryption of the received challenge string, the peer challenge string, the session identifier, and the user password.

  3. The authenticator checks the response from the client and sends back a response containing:

    • An indication of the success or failure of the connection attempt.

    • An authenticated response based on the sent challenge string, the peer challenge string, the encrypted response of the client, and the user password.

  4. The remote access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection.

Enabling MS-CHAP v2

You must enable MS-CHAP v2:

  1. As an authentication protocol on the RRAS server.

  2. On the appropriate network policy. (MS-CHAP v2 is enabled by default.)

  3. On the remote access client.

Additional considerations

  • MS-CHAP v2 is the only authentication protocol provided with Windows that supports password change during the authentication process.

  • Make sure your network access server (NAS) supports MS-CHAP v2 before you enable it on a network policy on a server running NPS. For more information, see your NAS documentation.

Additional references