Shiva Password Authentication Protocol

Applies To: Windows Server 2008, Windows Server 2008 R2

Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by Shiva. A computer running Windows XP Professional, when connecting to a Shiva LAN Rover, uses SPAP, as does a Shiva client that connects to a server running Routing and Remote Access. This form of authentication is more secure than plaintext but less secure than Challenge Handshake Authentication Protocol (CHAP) or Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).

To enable SPAP-based authentication, you must do the following:

  1. Enable SPAP as an authentication protocol on the RADIUS client. SPAP is disabled by default.

  2. Enable SPAP on the appropriate network policy. SPAP is disabled by default.

  3. Enable SPAP on the access client.


When you enable SPAP as an authentication protocol, the same user password is always sent in the same reversibly-encrypted form. This makes SPAP authentication susceptible to replay attacks, where an attacker captures the packets of the authentication process and replays the responses to gain authenticated access to your network. The use of SPAP is discouraged, especially for virtual private network connections.

Additional considerations

Following are additional things to consider before deploying SPAP:

  • If your password expires, SPAP cannot change passwords during the authentication process.

  • Make sure your network access server (NAS) supports SPAP before you enable it on a network policy on an NPS server. For more information, see your NAS documentation.

  • You cannot use Microsoft Point-to-Point Encryption (MPPE) with SPAP.