Configure a Windows XP Wireless Connection Profile for PEAP-MS-CHAP v2

Updated: October 16, 2008

Applies To: Windows Server 2008, Windows Vista

This procedure provides the steps required to configure a PEAP-MS-CHAP v2 wireless profile for computers running Windows XP.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

To configure a Windows XP wireless connection profile for PEAP-MS-CHAP v2

  1. If you have not already done so, use the steps in the topic Open Wireless Network (IEEE 802.11) Policies for Editing to open the Windows Vista Wireless Network (IEEE 802.11) Policies properties page.

  2. On the General tab of the policy properties, in XP Policy Name, type a name for the policy, or leave the default name. In Description, type a brief description of the policy.


For conceptual information about the settings on any tab of Wireless Network (IEEE 802.11) Policies, press F1 while viewing that tab.

  1. In Networks to access, select either Any available network (wireless AP preferred) or Access Point (infrastructure) network only.

  2. To specify that WLAN AutoConfig is used to configure wireless network adapter settings, select Use Windows to configure wireless network settings for clients.

  3. To allow clients to automatically connect to networks that are not specifically defined on the Preferred Networks tab, select Automatically connect to non-preferred networks.

  4. On the Preferred Networks tab, in Networks, click Add, and then select Infrastructure. The Network Properties dialog box opens.

  5. On the Network Properties dialog box, in Network Name (SSID), type the Service Set Identifier (SSID) that corresponds with the SSID configured on the wireless access point (AP).

  6. In Description, enter a description for the wireless network.

  7. If you deployed wireless APs that are configured to suppress the broadcast beacon frames, select Connect even if network is not broadcasting.


Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. By default, this setting is not enabled.

  1. In Select the security methods for this network, in Authentication, select either WPA2 or WPA, and then in Encryption, specify either AES or TKIP.

    Additional considerations for these settings:

    1. In the XP Wireless Network (IEEE 802.11) Policy, WPA2 and WPA correspond to the Windows Vista Wireless Network (IEEE 802.11) Policy settings, WPA2-Enterprise and WPA-Enterprise settings, respectively.

    2. WPA2 is preferred over WPA; AES is preferred over TKIP. However, not all wireless network adapter drivers in Windows XP and Windows Vista support WPA2 or AES.

    3. Selecting WPA2 exposes additional settings for Fast Roaming that are not provided by WPA. The default settings for Fast Roaming are sufficient for typical deployments.

    4. Although available, do not select either WPA2-PSK or WPA-PSK. WPA2-PSK and WPA-PSK are intended for small office and home office networks, and cannot be used in this scenario.

  2. Click the IEEE 802.1X tab. In EAP type, by default, Protected EAP (PEAP) is selected.

  3. Click Settings. The Protected EAP Properties page opens.

  4. On the Protected EAP Properties page, in When Connecting, do the following:

    1. To specify that wireless clients must verify the authenticity of the NPS server certificate, select Validate server certificate (recommended).

    2. To specify which RADIUS servers wireless clients must use to provide network authentication and authorization, type the name of each NPS server exactly as it appears in the Subject field of each RADIUS server’s certificate.

    3. In Trusted Root Certification Authorities, select the trusted root certification authority corresponding to your NPS server certificate. For example, if your domain CA in is named CA-01, select example-CA-01-CA.