Applies To: Windows 7, Windows Server 2008 R2

Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. It is typically negotiated if the remote access client and remote access server cannot negotiate a more secure form of validation.

Security Note
We recommend that you do not use PAP; it is included for backward compatibility only.

To enable PAP-based authentication, you must do the following:

  1. Enable PAP as an authentication protocol on the remote access server. PAP is disabled by default.

  2. Enable PAP on the appropriate network policy. PAP is disabled by default.

  3. Enable PAP on the remote access client.

Security Note
When you enable PAP as an authentication protocol, user passwords are sent in plaintext form. Anyone capturing the packets of the authentication process can easily read the password and use it to gain unauthorized access to your intranet. The use of PAP is strongly discouraged, especially for virtual private network (VPN) connections.

Additional considerations

  • By disabling the support for PAP on the remote access server, plaintext passwords are never sent by the dial-up client. Disabling support for PAP increases authentication security, but remote access clients who only support PAP cannot connect.

  • If your password expires, PAP does not support the changing of passwords during the authentication process.

  • Make sure your network access server (NAS) supports PAP before you enable it on a network policy on a server running Network Policy Server (NPS). For more information, see your NAS documentation.

  • You cannot use Microsoft Point-to-Point Encryption (MPPE) with PAP.

Additional references