Article ID: 325725 - View products that this article applies to.
This article was previously published under Q325725
RFC 2284 defines the Extensible Authentication Protocol (EAP), which provides support for multiple authentication methods. Although EAP was originally created for use with Point-to-Point Protocol (PPP), it has been adopted for use with IEEE 802.1x Network Port Authentication.
Since EAP's deployment, a number of weaknesses in EAP have become noticeable. These include the following:
PEAP with MS-CHAP v2 is provided with Windows XP Service Pack 1 (SP1) as part of enhanced EAP and IEEE 802.1x support. This permits Windows XP wireless clients to use PEAP with MS-CHAP v2 for secure wireless access with passwords instead of certificates.
The Internet Authentication Service (IAS) networking component provided with Windows Server 2003 also supports PEAP with MS-CHAP v2, permitting an IAS server to authenticate wireless clients that are running Windows XP SP1. IEEE 802.1x authentication with PEAP support is also available for Windows 2000 clients and the IAS component. For additional information about adding IEEE 802.1x with PEAP support to Windows 2000 clients and IAS servers, click the following article number to view the article in the Microsoft Knowledge Base:
313664See Q313664 for details. PEAP with MS-CHAP v2 requires certificates on the IAS servers but not on the wireless clients. IAS servers must have a certificate installed in their Local Computer certificate store. Instead of deploying a Public Key Infrastructure (PKI), you can purchase individual certificates from a third-party certification authority (CA) to install on your IAS servers. To make sure that wireless clients can validate the IAS server certificate chain, the root CA certificate of the CA that issues the IAS server certificates must be installed on each wireless client.
(http://support.microsoft.com/kb/313664/EN-US/ )Using 802.1x Authentication on Computers Running Windows 2000
Windows XP includes the root CA certificates of many third-party CAs. If IAS server certificates are purchased from a third-party CA that corresponds to an included root CA certificate, no additional wireless client configuration is required. For information about how to obtain a PEAP-compatible certificate from Verisign, visit the following Verisign Web site:
If you purchase your IAS server certificates from a third-party CA for which Windows XP does not include a corresponding root CA certificate, you must install the root CA certificate on each wireless client.
Article ID: 325725 - Last Review: September 11, 2011 - Revision: 6.0