SPAP

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

SPAP

The Shiva Password Authentication protocol (SPAP) is a reversible encryption mechanism employed by Shiva. A computer running Windows XP Professional, when connecting to a Shiva LAN Rover, uses SPAP, as does a Shiva client that connects to a server running Routing and Remote Access. This form of authentication is more secure than plaintext but less secure than CHAP or MS-CHAP.

To enable SPAP-based authentication, you must do the following:

  1. Enable SPAP as an authentication protocol on the remote access server. For more information, see Enable authentication protocols. SPAP is disabled by default.

  2. Enable SPAP on the appropriate remote access policy. For more information, see Configure authentication. SPAP is disabled by default.

  3. Enable SPAP on the remote access client. For more information, see Shiva Password Authentication Protocol (SPAP).

Important

  • When you enable SPAP as an authentication protocol, the same user password is always sent in the same reversibly-encrypted form. This makes SPAP authentication susceptible to replay attacks, where an attacker captures the packets of the authentication process and replays the responses to gain authenticated access to your intranet. The use of SPAP is discouraged, especially for virtual private network connections.

Notes

  • If your password expires, SPAP cannot change passwords during the authentication process.

  • Make sure your network access server (NAS) supports SPAP before you enable it on a remote access policy on an IAS server. For more information, see your NAS documentation.

  • You cannot use Microsoft Point-to-Point Encryption (MPPE) with SPAP.