Dial-up connection authentication and data encryption

The Typical (recommended settings) security options that you select on the Security tab result in a predefined set of authentication methods and encryption requirements that are negotiated with the server during a PPP exchange.

The following table shows the authentication and data encryption methods that you can use with each combination of Validate my identity as follows and Require data encryption (disconnect if none) selections. You can also view these settings by making your identity validation and data encryption requirement selections in Typical (recommended) settings, and then clicking Settings in Advanced (custom) settings.

You may individually enable, configure, and disable these combinations of security settings by using Advanced (custom settings), but this requires a knowledge of security protocols.

For more information about a specific authentication or data encryption method, click the method in the table. For information about configuring a connection, see To configure a connection to a remote network.

Validate my identity as follows	Require data encryption	Authentication methods negotiated	Encryption enforcement
Allow unsecured password	No	PAP, CHAP, SPAP, MS-CHAP, MS-CHAP v2	Optional encryption (connect even if no encryption)
Require secured password	No	CHAP, MS-CHAP, MS-CHAP v2	Optional encryption (connect even if no encryption)
Require secured password	Yes	MS-CHAP, MS-CHAP v2	Require encryption (disconnect if server declines)
Smart card	No	EAP-TLS	Optional encryption (connect even if no encryption)
Smart card	Yes	EAP-TLS	Require encryption (disconnect if server declines)

Notes

Data is only encrypted if MS-CHAP, MS-CHAP v2, or EAP-TLS authentication is negotiated. These are the only authentication protocols that generate their own initial encryption keys, which are required for encryption.
Microsoft Point-to-Point Encryption (MPPE) encrypts data in PPP-based dial-up connections. Strong (128-bit key) and standard (40-bit key) MPPE encryption schemes are supported.
MS-CHAP v2 and EAP are mutual authentication protocols, which means that both the client and the server prove their identities. If your connection is configured to use either MS-CHAP v2 or EAP as its only authentication method, and the server that you are connecting to does not provide proof of its identity, your connection disconnects. Previously, servers could skip authentication and simply accept the call. This change ensures that you can configure a connection to connect to the expected server.