Windows 7 / Networking

Supported Authentication Protocols

The following authentication protocols are supported for logon security for VPN connections in Windows 7:

  • PAP Stands for Password Authentication Protocol; uses plaintext (unencrypted) passwords.
  • CHAP Stands for Challenge Handshake Authentication Protocol; uses one-way MD5 hashing with challenge-response authentication.
  • MSCHAPv2 Stands for Microsoft Challenge Handshake Authentication Protocol version 2; an extension by Microsoft of the CHAP authentication protocol that provides mutual authentication of Windows-based computers and stronger data encryption. MSCHAPv2 is an enhancement of the earlier MS-CHAP protocol that provided only one-way authentication of the client by the server.
  • EAP Stands for Extensible Authentication Protocol; extends PPP by adding support for additional authentication methods including using smart cards and certificates.
  • PEAP Stands for Protected Extensible Authentication Protocol, or Protected EAP; enhances the protection provided by EAP by using Transport Layer Security (TLS) to provide a secure channel for EAP negotiation. PEAP is also used in Windows 7 to support NAP scenarios.

Starting with Windows Vista, the following authentication protocols have been deprecated for use by VPN connections:

  • SPAP (Shiva Password Authentication Protocol)
  • MS-CHAP
  • EAP using MD5

Note that by default PAP and CHAP are not enabled as authentication protocols on new VPN connections you create using the Set Up A Connection Or Network wizard. This is because PAP and CHAP are not considered secure; use them only when connecting to ISPs whose network access devices support only these older authentication schemes. And although PPTP in Windows 7 no longer supports MD5 for data integrity checking using L2TP/IPsecbased VPN connections, support for MD5 usage in CHAP has been maintained because of the continuing popularity of this authentication protocol with many broadband- and dial-up-based ISPs.

Table below summarizes the differences between Windows 7, Windows Vista, and Windows XP with regard to user authentication protocols used for VPN connections.

Note In addition to the user authentication protocols listed in Table below, L2TP/IPsec also supports machine-level authentication (using either pre-shared keys or machine certificates), and SSTP supports the client validating the server (using the certificate sent by the server to the client during the SSL negotiation phase).

Authentication Protocols Supported for VPN Connections in Windows 7, Windows Vista, and Windows XP

Authentication ProtocolWindows 7Windows VistaWindows XP
PAP
SAP
CHAP
MS-CHAP
MS-CHAPv2
EAP with MD5 challenge
EAP with smart card
EAP with other certificate
PEAP
[Previous] [Contents] [Next]

In this tutorial:

  1. Connecting Remote Users and Networks
  2. Enhancements for Connecting Remote Users and Networks in Windows 7
  3. Understanding IKEv2
  4. Understanding MOBIKE
  5. Understanding VPN Reconnect
  6. Protocols and Features of VPN Reconnect
  7. How VPN Reconnect Works
  8. Understanding DirectAccess
  9. Benefits of DirectAccess
  10. How DirectAccess Works
  11. Windows 7 and Windows Server 2008 R2
  12. Ipv6
  13. IPsec
  14. Perimeter Firewall Exceptions
  15. Implementing DirectAccess
  16. Understanding BranchCache
  17. Benefits of BranchCache
  18. How BranchCache Works
  19. Protocols Supported by BranchCache
  20. Implementing BranchCache
  21. Supported Connection Types
  22. Outgoing Connection Types
  23. Incoming Connection Types
  24. Deprecated Connection Types
  25. Supported Tunneling Protocols
  26. Comparing the Different Tunneling Protocols
  27. Understanding Cryptographic Enhancements
  28. Support for AES
  29. Weak Cryptography Removal from PP TP/L2TP
  30. Supported Authentication Protocols
  31. Understanding the VPN Connection Negotiation Process
  32. Creating and Configuring VPN Connection
  33. Creating a VPN Connection
  34. Initiating a Connection
  35. Terminating a Connection
  36. Viewing Connection Details
  37. Configuring a VPN Connection
  38. Configuring Security Settings for a VPN Connection
  39. Configuring the Tunneling Protocol (s) Used
  40. Configuring Advanced Connection Settings
  41. Configuring the Data Encryption Level
  42. Configuring the Authentication Method Used
  43. Configuring Authentication for IKEv2 connections
  44. Configuring Mobility for IKEv2 Connections
  45. Configuring Dial-Up Connections
  46. Creating a Dial-Up Connection
  47. Advanced Connection Settings
  48. Configuring Incoming Connections
  49. Managing Connections Using Group Policy
  50. Using Remote Desktop
  51. Understanding Remote Desktop
  52. Versions of RDP
  53. RDP 6.1 Features and Enhancements
  54. RDP 7.0 new features and enhancements
  55. RemoteApp and Desktop Connection
  56. Understanding RDC
  57. Understanding Remote Desktop Services Terminology
  58. Configuring and Using Remote Desktop
  59. Enabling Remote Desktop and Authorizing Users on a Single Computer
  60. Enabling Remote Desktop Using Group Policy
  61. Configuring and Deploying Remote Desktop Connection
  62. Configuring Remote Desktop Connection from the Command Line
  63. Configuring Remote Desktop Connection Using Notepad
  64. Configuring Remote Desktop Using Group Policy
  65. Establishing a Remote Desktop Session
  66. Improving Remote Desktop Performance
  67. Troubleshooting Remote Desktop Sessions
  68. Configuring and Using RemoteApp and Desktop Connection