VPN Authentication Protocols

Windows 7 supports different password-based and certificate-based authentication protocols that can be used for both dial-up and VPN connections. Windows 7 first tries to use the most secure authentication protocol that is enabled and then falls back to less secure protocols if they are available.

The following is a list of supported authentication protocols:

Password Authentication Protocol (PAP) – By default, this protocol is disabled for Windows 7 VPN connections as it is no more supported by remote access servers running Windows Server 2008. It is still available in Windows 7 as you may need to connect to some older third-party VPN servers that are configured to use this protocol. This protocol uses unencrypted passwords for authentication.

Challenge Authentication Protocol (CHAP) – This password-based authentication protocol is by default enabled for windows 7 VPN connections which allows you to connect to older third-party VPN servers that support it. Remote access servers running Windows Server 2008 do not support this protocol.

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) – This password-based authentication protocol allows you to configure a VPN connection that uses this protocol to use the credentials of the currently logged on user for authentication.

Protected extensible Authentication Protocol with Transport Layer Security (PEAP-TLS) – This is a certificate-based authentication protocol where users authenticate using certificates. It requires the installation of a computer certificate on the VPN server.

EAP-MS-CHAPv2/PEAP-MS-CHAPv2 – The most secure password-based authentication protocol available to VPN clients running Windows 7. It requires the installation of a computer certificate on the VPN server but it does not require a client certificate.

Smart Card or Other Certificate – This protocol is used when authenticating VPN connections using Smart cards or certificates that are installed on the client computer.