Configure a Wireless Connection Profile for PEAP-MS-CHAP v2

Updated: October 4, 2010

Applies To: Windows 7, Windows Server 2008 R2, Windows Vista, Windows XP

This procedure provides the steps required to configure a PEAP-MS-CHAP v2 wireless profile.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

To configure a Windows Vista wireless connection profile for PEAP-MS-CHAP v2

  1. If you have not already done so, use the steps in the topic Open Wireless Network (IEEE 802.11) Policies for Editing to open the Windows Vista New Wireless Network Policy Properties dialog.

  2. On your domain controller running Windows Server 2008 R2, in New Wireless Network Policy Properties, on the General tab, in Policy Name, type a name for the policy, or accept the default name.


If you change the default policy name, New Wireless Network Policy, then both the New Wireless Network Policy Properties dialog and the activated policy module in Group Policy Management Editor will change to match the new policy name.

  1. In Description, type a brief description for the policy.

  2. To specify that WLAN AutoConfig is used to configure wireless network adapter settings, select Use Windows to configure wireless network settings for clients.

  3. On the General tab, do one of the following:

    • To add and configure a new profile, click Add, and then select Infrastructure.

    • To edit an existing profile, select the profile you want to modify, and then click Edit. The New Profile Properties dialog opens.

  4. On the Connection tab, in Profile Name:

    1. If you are adding a new profile, it is recommended that you type a new name for the profile. For example, type WLAN Profile for Windows Vista.

    2. If you are editing a profile that is already added, use the existing profile name, or modify the name as needed.

  5. In Network Name(s) (SSID), type the SSID that corresponds to the SSID configured on your wireless APs, and then click Add.

    If your deployment uses multiple SSIDs and each wireless AP uses the same wireless security settings, repeat this step to add the SSID for each wireless AP to which you want this profile to apply.

    If your deployment uses multiple SSIDs and the security settings for each SSID do not match, configure a separate profile for each group of SSIDs that use the same security settings. For example, if you have one group of wireless APs configured to use WPA2-Enterprise and AES, and another group of wireless APs to use WPA-Enterprise and TKIP, configure a profile for each group of wireless APs.

  6. If NEWSSID is present, select it, and then click Remove.

  7. If you deployed wireless access points that are configured to suppress the broadcast beacon, select Connect even if the network is not broadcasting.


Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. By default, this setting is not enabled.

  1. Click the Security tab, click Advanced, and then configure the following:

    1. To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings.

      When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start Msgs, Held Period, Start Period, and Auth Period are sufficient for typical wireless deployments.

    2. To enable Single Sign On, select Enable Single Sign On for this network.

    3. The remaining default values in Single Sign On are sufficient for typical wireless deployments.

    4. In Fast Roaming, select This network uses pre-authentication, if your wireless AP is configured for pre-authentication.

  2. To specify that wireless communications meet FIPS 140-2 standards, select Perform cryptography in FIPS 140-2 certified mode.

  3. Click OK to return to the Security tab. In Select the security methods for this network, in Authentication, select WPA2-Enterprise if it is supported by your wireless AP and wireless client network adapters. Otherwise, select WPA-Enterprise.

  4. In Encryption, select AES, if it is supported by your wireless AP and wireless client network adapters. Otherwise, select TKIP.


The settings for both Authentication and Encryption must match the settings configured on your wireless AP. The default settings for Authentication Mode, Max Authentication Failures, and Cache user information for subsequent connections to this network are sufficient for typical wireless deployments.

  1. In Select a network authentication method, select Protected EAP (PEAP), and then click Properties. The Protected EAP Properties page opens.

  2. In Protected EAP Properties, verify that Validate server certificate is selected.

  3. In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued the server certificate to your NPS server.


This setting limits the root CAs that clients trust to the selected CAs. If no trusted root CAs are selected, then clients will trust all root CAs listed in their trusted root certification authority store.

  1. Select Do not prompt user to authorize new servers or trusted certification authorities. Selecting this setting provides an enhanced user experience and better security.

  2. In the Select Authentication Method list, select Secured password (EAP-MS-CHAP v2).

  3. To enable PEAP Fast Reconnect, select Enable Fast Reconnect.

  4. If Network Access Protection (NAP) is configured on your network, select Enable Quarantine checks. Otherwise, clear this check box.

  5. To require server cryptobinding TLV on connection attempts, select Disconnect if server does not present cryptobinding TLV.

  6. To specify that user identity is masked in phase one of authentication, select Enable Identity Privacy, and in the textbox, type an anonymous identity name, or leave the textbox blank.


The NPS policy for 802.1X Wireless must be created by using NPS Connection Request Policy. If the NPS policy is created in by using NPS Network Policy, then identity privacy will not work.


EAP identity privacy is provided by certain EAP methods where an empty or an anonymous identity (different from the actual identity) is sent in response to the EAP identity request. PEAP sends the identity twice during the authentication. In the first phase, the identity is sent in plain text and this identity is used for routing purposes, not for client authentication. The real identity – used for authentication - is sent during the second phase of the authentication, within the secure tunnel that is established in the first phase. If Enable Identity Privacy checkbox is selected, the username is replaced with the entry specified in the textbox. For example, assume Enable Identity Privacy is selected and the identity privacy alias anonymous is specified in the textbox. For a user with a real identity alias, the identity sent in first phase of authentication will be changed to The realm portion of the 1st phase identity is not modified as it is used for routing purposes.

  1. Click Configure. In the EAP MSCHAPv2 Properties dialog box, verify Automatically use my Windows logon name and password (and domain if any) is selected, click OK, and then click OK to close Protected EAP Properties.

  2. Click OK to close the Security tab, and then click OK again to close the Vista Wireless Network Policy.