Dial-up connection authentication and data encryption

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Dial-up connection authentication and data encryption

The Typical (recommended settings) security options that you select on the Security tab result in a predefined set of authentication methods and encryption requirements that are negotiated with the server during a PPP exchange.

The following table shows the authentication and data encryption methods that you can use with each combination of Validate my identity as follows and Require data encryption (disconnect if none) selections. You can also view these settings by making your identity validation and data encryption requirement selections in Typical (recommended) settings, and then clicking Settings in Advanced (custom) settings.

You may individually enable, configure, and disable these combinations of security settings by using Advanced (custom settings), but this requires a knowledge of security protocols.

For more information about a specific authentication or data encryption method, click the method in the table. For information about configuring a connection, see Configure a connection to a remote network.

Validate my identity as follows Require data encryption Authentication methods negotiated Encryption enforcement

Allow unsecured password

No

Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Shiva Password Authentication Protocol (SPAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

Optional encryption (connect even if no encryption)

Require secured password

No

Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

Optional encryption (connect even if no encryption)

Require secured password

Yes

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

Require encryption (disconnect if server declines)

Smart card

No

Extensible Authentication Protocol (EAP)

Optional encryption (connect even if no encryption)

Smart card

Yes

Extensible Authentication Protocol (EAP)

Require encryption (disconnect if server declines)

Notes

  • Data is only encrypted if MS-CHAP, MS-CHAP v2, or EAP-TLS authentication is negotiated. These are the only authentication protocols that generate their own initial encryption keys, which are required for encryption.

  • Microsoft Point-to-Point Encryption (MPPE) encrypts data in PPP-based dial-up connections. Strong (128-bit key) and standard (40-bit key) MPPE encryption schemes are supported.

  • MS-CHAP v2 and EAP are mutual authentication protocols, which means that both the client and the server prove their identities. If your connection is configured to use either MS-CHAP v2 or EAP as its only authentication method, and the server that you are connecting to does not provide proof of its identity, your connection disconnects. Previously, servers could skip authentication and simply accept the call. This change ensures that you can configure a connection to connect to the expected server.