How to choose a VPN auth protocol

by Mitch Tulloch [Published on 17 Jan. 2007 / Last Updated on 17 Jan. 2007]

How do you decide which auth protocol to use on a VPN client?

Virtual Private Networking in Microsoft Windows supports several authentication protocols including EAP-TLS, mS-CHAPv2, and others. Which VPN authentication protocol should you use in which circumstance? Here's a quick guide:

Use EAP-TLS if your VPN clients need to use smart cards or if your enterprise already has a CA in place that issues user certificates.

Use MS-CHAPv2 if you need to use a password-based authentication method, and make sure you force the use of strong passwords using Group Policy.

Use less secure auth protocols like MS-CHAP, CHAP and PAP only if you absolutely must for backward compatibility reasons.


Mitch Tulloch is President of MTIT Enterprises, an IT content development company based in Winnipeg, Canada. Prior to starting his own company in 1998, Mitch worked as a Microsoft Certified Trainer (MCT) for Productivity Point International. Mitch is a widely recognized expert on Windows administration, networking and security and has written 14 books and over a hundred articles on various topics. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy Microsoft platforms, products and solutions. Mitch is also a professor at Jones International University (JIU) where he teaches graduate-level courses in Information Security Management (ISM) for their Masters of Business Administration (MBA) program. For more information see

See Also

The Author — Mitch Tulloch

Mitch Tulloch is a well-known expert on Windows Server administration and cloud computing technologies. He has published over a thousand articles on information technology topics and has written, contributed to or been series editor for over 50 books.

Featured Links