Extensible Authentication Protocol (EAP)

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Extensible Authentication Protocol (EAP)

Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing arbitrary authentication methods that use credential and information exchanges of arbitrary lengths. EAP was developed in response to an increasing demand for authentication methods that use security devices, such as smart cards, token cards, and crypto calculators. EAP provides an industry-standard architecture for supporting additional authentication methods within PPP.

By using EAP, you can support additional authentication schemes, known as EAP types. These schemes include token cards, one-time passwords, public key authentication using smart cards, and certificates. EAP, in conjunction with strong EAP types, is a critical technology component for secure virtual private network (VPN) connections. Strong EAP types, such as those based on certificates, offer better security against brute-force or dictionary attacks and password guessing than password-based authentication protocols, such as CHAP or MS-CHAP.

To find out if an EAP type is being used in your organization, contact your network administrator.

To configure a connection for EAP, see Configure identity authentication and data encryption settings.

The Windows Server 2003 family supports two EAP types:

  • EAP-MD5 CHAP (equivalent to the CHAP authentication protocol)

  • EAP-TLS (used for user certificate-based authentication).

EAP-TLS is a mutual authentication method, which means that both the client and the server prove their identities to each other. During the authentication process, the remote access client sends its user certificate and the remote access server sends its computer certificate. If either certificate is not sent or is invalid, the connection is terminated.


  • During the EAP-TLS authentication process, shared secret encryption keys for Microsoft Point-to-Point Encryption (MPPE) are generated.