Authentication Protocols

Applies To: Windows Server 2008, Windows Server 2008 R2

In this section

When users attempt to connect to your network through network access servers, NPS authenticates and authorizes the connection request before allowing or denying access.

Because authentication is the process of verifying the identity of the user or computer attempting to connect to the network, NPS must receive proof-of-identity from the user or computer in the form of credentials.

Authentication protocols allow the transmission of these credentials from the computer or user who is proving their identity to the authenticator that is verifying their identity. Authentication methods typically use an authentication protocol that is negotiated by the Remote Authentication Dial-In User Service (RADIUS) server and the access client during the connection establishment process.

Each authentication protocol has advantages and disadvantages in terms of security, usability, and breadth of support. The authentication protocol used to transmit credentials is determined by the configuration of the following RADIUS infrastructure components: the access client, the RADIUS client, and the RADIUS server.


NPS also supports unauthenticated connections, although in most circumstances unauthenticated access is not recommended for security reasons.

You can configure NPS to accept the use of multiple authentication protocols. You can also configure your RADIUS clients to attempt to negotiate a connection by using the most secure protocol first, and then the next most secure, and so on down to the least secure. For example, the Routing and Remote Access service tries to negotiate a connection by using Extensible Authentication Protocol (EAP) first, then MS-CHAP v2, then MS-CHAP v1 , then CHAP, and then PAP. When EAP is chosen as the authentication method, the negotiation of the EAP type occurs between the access client and the NPS server.


Before deploying authentication with NPS, consult your RADIUS client documentation to determine the authentication methods that are supported by the device.

In addition, you can use network policies to implement different authentication methods depending on the type of access client that is being authenticated. For example, you can create two network policies, one for VPN clients and one for wireless clients—each of which uses a different authentication method. The network policy for VPN clients can be configured to use EAP-TLS with smart cards or certificates as the authentication method and authentication type, while the network policy for wireless clients can be configured to use PEAP-MS-CHAP v2, which provides secure password authentication.

Authentication methods

Some authentication methods implement the use of password-based credentials. For example, Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) requires that users type in a user name and password. These credentials are then passed to the NPS server by the network access server, and then NPS verifies the credentials against the user accounts database.

Other authentication methods implement the use of certificate-based credentials for the user, the client computer, the NPS server, or some combination of these types of certificates. Certificate-based authentication methods provide stronger security than password-based authentication methods.

When you deploy NPS, you can specify the authentication method that is required for access to your network.

The following sections provide additional information on the authentication methods and protocols available for use with NPS.