EAP over MS-CHAP version2 Preferred Method of Remote Access Authentication

Extensible Authentication Protocol (EAP) is an authentication framework that is used in wireless network. Rely on protocol that encapsulate the EAP message

The most preferred remote access authentication method I would be using is the EAP over MS-CHAP version 2 with TLS. The security level for a remote access environment in a client would be enormous. To set up a secure network authentication, we would use the MS-CHAP v2 to supports data encryption with manual LAN manager encryption to protect from “man in the middle” attacks. EAP would be an additional authentication used by CHAP using an authentication server and clients with certificates. The data however over an EAP are not encrypted by itself. By having the EAP with TLS, the EAP traffic would go through a secure layer that is encrypted and uses a Windows Active Directory as an as a user database. There would be a RADIUS server necessary to receive the authentication request to securely authorize access. Windows Server can set up a Network Policy Server to set up a RADIUS server to serve RADIUS clients on the network.

There are risks in implementing a MS-CHAP v2 EAP with TLS authentication since there would be a need for a Windows Active Directory Server and an NPS server. Most home consumer scale authentication are not cable of this setup. Having a Microsoft server means that there would be a need to manage the server and maintain the system would be up. There would be a need to hire someone to maintain and troubleshoot the server. Also, the implementation of this authentication method would be a lot costly. There would be a need for an extra server and cost for management. An authentication method that would require a RADIUS server would not be necessary for home and small business scale companies.

802.1x is a IEEE standard for port based Network Access Control (NAC) relying on EAP


Shinder, D. (2006) Choosing a remote access authentication scheme. Retrieved from


Leave a Reply

Your email address will not be published. Required fields are marked *