Configure Wireless Clients running Windows XP for PEAP-MS-CHAP v2 Authentication
Updated: March 29, 2012
Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Use this procedure to configure a Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) wireless configuration profile for wireless computers running Windows XP and Windows Server 2003.
Membership in Domain Admins , or equivalent, is the minimum required to complete this procedure.
To configure a PEAP-MS-CHAP v2 wireless profile for computers running Windows XP
Open Windows XP Wireless Network (IEEE 802.11) Policies Properties dialog box.
On the General tab, do the following:
XP Policy Name
, type a name for your wireless policy.
, type a description of the policy.
Networks to access
, select either
Any available network (access point preferred)
Access point (infrastructure) networks only
Use Windows WLAN AutoConfig service for clients
- In XP Policy Name , type a name for your wireless policy.
On the Preferred Networks tab, click Add , and then select Infrastructure . On the Network Properties tab, configure the following:
Network Name (SSID)
, type the service set identifier (SSID) for your network.
Note The value you enter in this field must match the value configured on the access points you have deployed on your network.
, enter a description for the
New Preferred Setting Properties
- If you deployed wireless access points that are configured to suppress the broadcast beacon, select
Connect even if the network is not broadcasting
Security Note Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. By default, this setting is not enabled.
Select the security methods for this network
, select either
, specify either
Note In Windows XP Wireless Network (IEEE 802.11) Policies, WPA2 and WPA correspond to the Windows Vista Wireless Network (IEEE 802.11) Policies WPA2-Enterprise and WPA-Enterprise settings, respectively. WPA-PSK and WPA2-PSK are for networks that do not use 802.1X authentication. Do not use them for 802.1X authenticated wireless access deployments. Note Selecting WPA2 exposes settings for Fast Roaming that are not displayed if WPA is selected. The default settings for Fast Roaming are sufficient for most wireless deployments.
- In Network Name (SSID) , type the service set identifier (SSID) for your network.
Click the IEEE 802.1X tab. In EAP type , by default, Protected EAP (PEAP) is selected.
The remaining default settings on the IEEE 802.1X tab are sufficient for most wireless deployments.
Click Settings . In the Protected EAP Properties dialog box, do the following:
Validate server certificate
- To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in
Connect to these servers
, type then name of each RADIUS server, exactly as it appears in the subject field of the server certificate. Use semicolons to specify multiple RADIUS server names.
Trusted Root Certification Authorities
, select the trusted root certification authority (CA) that issued the server certificate to your server running Network Policy Server (NPS).
Note This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients trust all trusted root CAs in their trusted root certification authority store.
- For improved security and a better user experience, select
Do not prompt user to authorize new servers or trusted certification authorities
Select Authentication Method
Secured Password (EAP-MSCHAP v2)
- To enable PEAP Fast Reconnect, select
Enable Fast Reconnect
- To specify that Network Access Protection (NAP) performs system health checks on clients to ensure they meet health requirements, before connections to the network are permitted, select
Enforce Network Access Protection
- To require cryptobinding Type-Length-Value (TLV), select
Disconnect if server does not present cryptobinding TLV
- To configure your clients so that they will not send their identity in plaintext before the client has authenticated the RADIUS server, select
Enable Identity Privacy
, and then in
, type a name or value, or leave the field empty.
For example, if Enable Identity Privacy is enabled and you use “guest” as the anonymous identity value, the identity response for a user with identity alice@realm is guest@realm. If you select Enable Identity Privacy but do not provide an anonymous identity value, the identity response is @realm.
- Select Validate server certificate .
Click OK to save the Protected EAP Properties settings, and then click OK again to save the policy.