This article was previously published under Q296739
This article has been archived. It is offered "as is" and will no longer be updated.
When you use the Extensible Authentication Protocol-Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP) for RAS or Radius Authentication, the first EAP Challenge from the RAS Server is ignored by the RAS client.
EAP MD5 has been updated in Windows 2000 Service Pack 2 to respond to the first EAP Challenge presented by the RAS Server.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Windows 2000 includes support for two new authentication protocols: Extensible Authentication Protocol and Transport Layer Security (EAP/TLS) for cryptographic smart cards and MSCHAPv2 for security enhancements over MSCHAPv1. These are mutual authentication protocols in which both the client and the server prove their identities.
For successful authentication, both the remote access client and authenticator must have the same EAP authentication module installed. Windows 2000 provides two EAP types: EAP-MD5 CHAP and EAP-TLS. You can also install additional EAP types. The components for an EAP type must be installed on every remote access client and every authenticator.