Skip navigation

CHAP peer authentication failed

4924 Views 10 Replies Latest reply: Dec 4, 2013 2:20 PM by richosad RSS
YUZA-Tom Level 1 Level 1 (0 points)
Currently Being Moderated
Jun 20, 2013 8:58 AM

I'm posting this solution as this issue has been cropping up, seemingly at random, for years. I hope others find success with it.



Since migrating to OS X Server (I first started with Leopard) I've been bugged with an issue: some users have been unable to connect to the VPN.


The issue seemed random; I could connect, as could a couple of my colleagues, but some new users could not.


Trawling the logs, I'd see:


CHAP peer authentication failed for '[user]'.


... where [user] is the short name of a user, e.g. 'jonny.appleseed'.


The issue, in my case, was caused by the password policy which requires new users to change their password on first log-in. Blindingly simple (perhaps why it's not documented anywhere!), but looking through the Google results and discussion boards, it seems to have caused many people much pain.


Steps to Reproduce

1. Create a new user

2. Permit access to VPN

3. Configure VPN settings on client; PPTP or L2TP

4. Try to 'connect'

5. Message: "Authentication Failed" appears on Client; VPN Service log shows "CHAP peer authentication failed for '...' "



Steps to Correct

1. On the server, download 'Workgroup Manager'

You'll find the correct version of Workgroup Manager here: For Mountain Lion, you'll need Workgroup Manager 10.8.


2. Open Workgroup Manager, connect to the directory and authenticate as the directory admin


3. From the list of users on the left, select a user who is having trouble connecting to the VPN


4. Select the 'Advanced' tab


5. Click 'Options'

(NB: This will be greyed out if you have not authenticated as the directory admin; click the padlock button in the top-right of Workgroup Manager to authenticate)


6. De-select 'be changed at next login'

Screen Shot 2013-06-20 at 16.49.35.png



This user should now be able to connect to the VPN.



I hope this saves someone else months of frustration.

OS X Server, VPN
  • cspearsall Calculating status...
    Currently Being Moderated
    Jul 3, 2013 11:49 AM (in response to YUZA-Tom)

    First of all, thank you for posting this.  I hope when I get to this point it actually works.  However I am stuck at not being able to open the Options window even after I authenticate.  Not sure what the problem is!!Screen Shot 2013-07-03 at 2.13.44 PM.png

  • enokoner Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jul 7, 2013 1:30 PM (in response to cspearsall)

    I'm running into the same problem. Will post, if I figure it out.

  • enokoner Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jul 7, 2013 1:47 PM (in response to cspearsall)

    I figured it  out. You have to create user from Profile Manager not from the the Server app.  From here the options button was enabled. However, when it opended up tghe dialog box 'be changed at next login' was already unchecked. I tried logging in as this user and got the same error. 


    Unsupported protocol 0x8057 received

    MPPE required but peer negotiation failed

  • enokoner Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jul 7, 2013 2:11 PM (in response to enokoner)

    I got L2TP  working! From my 3g iphone!



    1. System Preferences ---> Network

    2. Click ' +'  to add a new service

    3. Select Ethernet for Interface. Name it something like 'VPN Access'

    4. Select a new ip in a range that will not be used by the VPN client. Server sets the range for clients above 31. I chose 25 randomly.

    5.  Go to the server applicatio.---> Edit under DNS Settings

    6. Chane the name server to the address you chose. 

    7. Restart and it should work. 

  • AdamShaw Calculating status...
    Currently Being Moderated
    Aug 8, 2013 10:37 PM (in response to YUZA-Tom)

    Thank you, this solved my problem and saved me a lot of time!


    But I also found, as enkoner said, that the user needed to be created in the Workgroup Manager and not in the Server App.

  • d.hamann Calculating status...
    Currently Being Moderated
    Sep 23, 2013 3:52 AM (in response to YUZA-Tom)

    Thanks for this description, YUZA-Tom. I had the exact same problem and have it fixed now.


    @AdamShaw: I could create the user in the Server App – worked just fine.

  • lh99 Calculating status...
    Currently Being Moderated
    Oct 14, 2013 1:02 PM (in response to YUZA-Tom)

    I tried this fix along with a few others that came up when I searched for "CHAP peer authentication failed." None worked for me, but simply deleting the user account and then re-creating it did.


    The user account that wasn't working had been created prior to installing Server / configuring VPN; maybe it has something to do with that. Any new accounts I create work fine but none of the old ones do.

  • Scott Hannahs Calculating status...
    Currently Being Moderated
    Oct 14, 2013 3:28 PM (in response to YUZA-Tom)

    I have the same CHAP peer authentication failed.  However I don't have the "options" button on the work group manager.  This is only for Active Directory users.  Locally created users have a different password type.


    Local users have a "Shadow Password" that has "Options".  The AD users all have a "Crypt Password" as shown below.  How can I allow these AD users to have VPN access and authenticate correctly?


    Can AD users be converted to another type of password?  Can this password type work with VPN to get the CHAP authentication correct?



    Untitled 2.png

  • the_powerbart Calculating status...
    Currently Being Moderated
    Dec 1, 2013 9:46 AM (in response to YUZA-Tom)

    I had the same problem... Banging my head into the wall ...


    I tried everything... In the end, I deleted the OpenDirectory store in "Server App" and created a new one...
    And then is was working like chame :-)


    Note: The users you are adding, should MAYBE only be "Network users - service only" ...

  • richosad Calculating status...
    Currently Being Moderated
    Dec 4, 2013 2:20 PM (in response to the_powerbart)

    Thanks for the hint: "Note: The users you are adding, should MAYBE only be "Network users - service only" ...


    that solved my problem. See also here at the end of video:


More Like This

  • Retrieving data ...

Bookmarked By (0)

This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.