Remote access in this version of Windows supports the remote access authentication protocols listed in the following table. They are listed in order of decreasing security. We recommend that you use Extensible Authentication Protocol (EAP) and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2), and avoid the use of Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP).
Protocol | Description | Security Level |
---|---|---|
EAP |
Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types. |
EAP offers the strongest security by providing the most flexibility in authentication variations. For more information, see EAP (http://go.microsoft.com/fwlink/?linkid=140608). |
MS-CHAP v2 |
Supports two-way mutual authentication. The remote access client receives verification that the remote access server that it is dialing in to has access to the user’s password. |
MS-CHAP v2 provides stronger security than CHAP. For more information, see MS-CHAP v2 (http://go.microsoft.com/fwlink/?linkid=140609). |
CHAP |
Uses the Message Digest 5 (MD5) hashing scheme to encrypt the response. |
CHAP is an improvement over PAP, in that the password is not sent over the PPP link. CHAP requires a plaintext version of the password to validate the challenge response. CHAP does not protect against remote server impersonation. For more information, see CHAP (http://go.microsoft.com/fwlink/?linkid=140610). |
PAP |
Uses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation. |
PAP is the least secure authentication protocol. It does not protect against replay attacks, remote client impersonation, or remote server impersonation. For more information, seePAP (http://go.microsoft.com/fwlink/?linkid=140611). |
Unauthenticated access
RRAS also supports unauthenticated access, which means that user credentials (a user name and password) are not required. There are some situations in which unauthenticated access is useful. For more information, see Unauthenticated Access (http://go.microsoft.com/fwlink/?linkid=73649).
Security Note | |
|