Implementing PEAP-MS-CHAP v2 authentication for Microsoft PPTP VPNs

Article translations Article translations
Article ID: 2744850 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based authentication protocol which is widely used as an authentication method in PPTP-based (Point to Point Tunneling Protocol) VPNs. Microsoft cautions that any organizations that use MS-CHAP v2 without encapsulation in conjunction with PPTP tunnels for VPN connectivity are running in a potentially nonsecure configuration. 

Recommendations

Microsoft suggests that organizations using MS-CHAP v2/PPTP implement the Protected Extensible Authentication Protocol (PEAP) in their networks. This mitigates this technique by encapsulating the MS-CHAP v2 authentication traffic in TLS. 

Configure PPTP to use PEAP-MS-CHAP v2 for authentication

PEAP-MS-CHAP v2

PEAP with MS-CHAP v2 as the client authentication method is one way to help secure VPN authentication. To enforce the use of PEAP on client platforms, Windows Routing and Remote Access Server (RRAS) servers should be configured to allow only connections that use PEAP authentication, and to refuse connections from clients that use MS-CHAP v2 or EAP-MS-CHAP v2. Administrators must check the corresponding authentication method options on the RRAS server and the Network Policy Server (NPS) server. 

Administrators must also confirm the following:
  • Server certificate validation is turned ON. (The default behavior is ON.)
  • Server Name validation is turned ON. (The default behavior is ON.) The correct server name must be specified. 
  • The root certificate from which the Server certificate was issued is installed correctly on the client system’s store and is turned ON. (Always ON).
  • On Windows 7, Windows Vista, and Windows XP, the Do not prompt user to authorize new servers or trusted certification authorities check box in the PEAP properties window should be enabled. By default, it is disabled. 
Configure the RRAS Server for the PEAP-MS-CHAP v2 authentication method
The procedure for configuring the PEAP-MS-CHAP v2 authentication method for the RRAS server and for turning off the less secure methods MS-CHAP v2 and EAP-MS-CHAP v2 is briefly described in the following steps. 

Configure the authentication method for RRAS

To do this, follow these steps:
  1. In the RRAS Server Management window, open the Server Properties dialog box, and then click the Security tab.
  2. Click Authentication Methods
  3. Make sure that the EAP check box is selected and that the MS-CHAP v2 check box is not selected.
Configure connections for NPS

Configure the Network Policy Server (NPS) to only allow connections from clients that use the PEAP-MS-CHAP v2 authentication method. To configure NPS, follow these steps:
  1. Open the NPS UI, click Policies, and then click Network Policies.  
  2. Right-click Connections to Microsoft Routing and Remote Access Server, and then select Properties.
  3. On the Properties UI, click the Constraints tab.
  4. In the left Constraints pane, select Authentication Methods, and then click to clear the check boxes for the MS-CHAP and MS-CHAP-v2 methods. 
  5. Remove EAP-MS-CHAP v2 from the EAP Types list.
  6. Click Add, select PEAP authentication method, and then click OK.

    Note A valid Server certificate must be installed in the "Personal" store, and a valid root certificate must be installed in the "Trusted Root CA" store of the server before configuring the NPS connection. 
  7. Click Edit, and then select EAP-MS-CHAP v2 as the authentication method.
Configure the RRAS Client for PEAP-MS-CHAP v2 authentication method
Windows VPN clients can be configured to use the PEAP-MS-CHAP v2 authentication method by selecting the corresponding method from the VPN connection properties UI and by installing the appropriate root certificate on the client system.

Properties

Article ID: 2744850 - Last Review: August 20, 2012 - Revision: 1.4
Applies to
  • Windows 7 Service Pack 1, when used with:
    • Windows 7 Enterprise
    • Windows 7 Professional
    • Windows 7 Ultimate
    • Windows 7 Home Premium
    • Windows 7 Home Basic
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows 7 Home Premium
  • Windows 7 Home Basic
  • Windows Server 2008 R2 Service Pack 1, when used with:
    • Windows Server 2008 R2 Standard
    • Windows Server 2008 R2 Enterprise
    • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 Service Pack 2, when used with:
    • Windows Server 2008 for Itanium-Based Systems
    • Windows Server 2008 Datacenter
    • Windows Server 2008 Enterprise
    • Windows Server 2008 Standard
    • Windows Web Server 2008
  • Windows Vista Service Pack 2, when used with:
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows XP Service Pack 3, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
Keywords: 
kbexpertiseinter kbinfo kbsecadvisory kbsecurity kbsecvulnerability KB2744850

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com