Configure Computers Running Windows XP to Use PEAP-MS-CHAP v2

Applies To: Windows Server 2008, Windows Vista

Follow these steps to configure a Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) wireless configuration profile for wireless computers running Windows XP and Windows Server 2003.

Membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure.

To configure wireless client computers running Windows XP by using the Wireless Network (IEEE 802.11) Policies

  1. In Windows XP Wireless Network (IEEE 802.11) Policies Properties, on the General tab, do the following:

    1. In XP PolicyName, type a name for your wireless policy.

    2. In Description, type a brief description of the policy.

    3. In Networks to access, select Any available network (wireless AP preferred).

    4. Select Use Windows to configure wireless network settings for clients.

  2. On the Preferred Networks tab, click Add, and then select Infrastructure. On the Network Properties tab, configure the following:

    1. In Network Name (SSID), type the service set identifier (SSID) for your network.


The value that you enter in this field must match the value configured on the access points that you have deployed on your network.

2.  In **Description**, enter a description for the **New Preferred Setting Properties**.  
3.  To specify that a network key is used for authentication to the wireless network, under **Select the security methods for this network**, in **Authentication**, select either **WPA2** (preferred), or **WPA**. In **Encryption**, specify either **AES** or **TKIP**.  


In the Windows XP Wireless Network (IEEE 802.11) Policies, WPA2 and WPA correspond to the Windows Vista Wireless Network (IEEE 802.11) Policies WPA2-Enterprise and WPA-Enterprise settings, respectively.


Selecting WPA2 exposes additional settings for Fast Roaming. The default settings for Fast Roaming are sufficient for most wireless deployments.

  1. Click the IEEE 802.1X tab. In EAP type, by default, Protected EAP (PEAP) is selected.

    The remaining default settings on the IEEE 802.1X tab are sufficient for most wireless deployments.

  2. Click Settings. In the Protected EAP Properties dialog box, do the following:

  3. Verify that Validate Server certificate is selected.

  4. In Select Authentication Method, select Secured password (EAP-MS-CHAP v2).

  5. In Trusted Root Certification Authorities, select the certification authority (CA) that issued the server certificate to your Network Policy Server (NPS).

    Security Note
    This setting limits the CAs that clients trust to the selected values. If no CAs are selected, clients will trust all CAs in their Trusted Root Certification Authorities certificate store.

  6. To enable PEAP Fast Reconnect, make sure that Enable Fast Reconnect is selected.

  7. Click OK two times. The PEAP profile is listed under Networks. Click OK, and then close the Group Policy Management Console (GPMC).