YUZA-Tom

Q: CHAP peer authentication failed

I'm posting this solution as this issue has been cropping up, seemingly at random, for years. I hope others find success with it.

 

Issue

Since migrating to OS X Server (I first started with Leopard) I've been bugged with an issue: some users have been unable to connect to the VPN.

 

The issue seemed random; I could connect, as could a couple of my colleagues, but some new users could not.

 

Trawling the logs, I'd see:

 

CHAP peer authentication failed for '[user]'.

 

... where [user] is the short name of a user, e.g. 'jonny.appleseed'.

 

The issue, in my case, was caused by the password policy which requires new users to change their password on first log-in. Blindingly simple (perhaps why it's not documented anywhere!), but looking through the Google results and discussion boards, it seems to have caused many people much pain.


 

Steps to Reproduce

1. Create a new user

2. Permit access to VPN

3. Configure VPN settings on client; PPTP or L2TP

4. Try to 'connect'

5. Message: "Authentication Failed" appears on Client; VPN Service log shows "CHAP peer authentication failed for '...' "

 

 

Steps to Correct

1. On the server, download 'Workgroup Manager'

You'll find the correct version of Workgroup Manager here: http://support.apple.com/kb/HT1822. For Mountain Lion, you'll need Workgroup Manager 10.8.

 

2. Open Workgroup Manager, connect to the directory and authenticate as the directory admin

 

3. From the list of users on the left, select a user who is having trouble connecting to the VPN

 

4. Select the 'Advanced' tab

 

5. Click 'Options'

(NB: This will be greyed out if you have not authenticated as the directory admin; click the padlock button in the top-right of Workgroup Manager to authenticate)

 

6. De-select 'be changed at next login'

Screen Shot 2013-06-20 at 16.49.35.png

 

Result

This user should now be able to connect to the VPN.

 

 

I hope this saves someone else months of frustration.

OS X Server, VPN

Posted on Jun 20, 2013 8:58 AM

Close

Q: CHAP peer authentication failed

  • All replies
  • Helpful answers

Page 1 Next
  • by cspearsall,

    cspearsall cspearsall Jul 3, 2013 11:49 AM in response to YUZA-Tom
    Level 1 (0 points)
    Jul 3, 2013 11:49 AM in response to YUZA-Tom

    First of all, thank you for posting this.  I hope when I get to this point it actually works.  However I am stuck at not being able to open the Options window even after I authenticate.  Not sure what the problem is!!Screen Shot 2013-07-03 at 2.13.44 PM.png

  • by enokoner,

    enokoner enokoner Jul 7, 2013 1:30 PM in response to cspearsall
    Level 1 (0 points)
    Jul 7, 2013 1:30 PM in response to cspearsall

    I'm running into the same problem. Will post, if I figure it out.

  • by enokoner,

    enokoner enokoner Jul 7, 2013 1:47 PM in response to cspearsall
    Level 1 (0 points)
    Jul 7, 2013 1:47 PM in response to cspearsall

    I figured it  out. You have to create user from Profile Manager not from the the Server app.  From here the options button was enabled. However, when it opended up tghe dialog box 'be changed at next login' was already unchecked. I tried logging in as this user and got the same error. 

     

    Unsupported protocol 0x8057 received

    MPPE required but peer negotiation failed

  • by enokoner,

    enokoner enokoner Jul 7, 2013 2:11 PM in response to enokoner
    Level 1 (0 points)
    Jul 7, 2013 2:11 PM in response to enokoner

    I got L2TP  working! From my 3g iphone!

     

    Steps

    1. System Preferences ---> Network

    2. Click ' +'  to add a new service

    3. Select Ethernet for Interface. Name it something like 'VPN Access'

    4. Select a new ip in a range that will not be used by the VPN client. Server sets the range for clients above 31. I chose 25 randomly.

    5.  Go to the server applicatio.---> Edit under DNS Settings

    6. Chane the name server to the address you chose. 

    7. Restart and it should work. 

  • by AdamShaw,

    AdamShaw AdamShaw Aug 8, 2013 10:37 PM in response to YUZA-Tom
    Level 1 (5 points)
    Aug 8, 2013 10:37 PM in response to YUZA-Tom

    Thank you, this solved my problem and saved me a lot of time!

     

    But I also found, as enkoner said, that the user needed to be created in the Workgroup Manager and not in the Server App.

  • by d.hamann,

    d.hamann d.hamann Sep 23, 2013 3:52 AM in response to YUZA-Tom
    Level 1 (0 points)
    Sep 23, 2013 3:52 AM in response to YUZA-Tom

    Thanks for this description, YUZA-Tom. I had the exact same problem and have it fixed now.

     

    @AdamShaw: I could create the user in the Server App – worked just fine.

  • by lh99,

    lh99 lh99 Oct 14, 2013 1:02 PM in response to YUZA-Tom
    Level 1 (0 points)
    Oct 14, 2013 1:02 PM in response to YUZA-Tom

    I tried this fix along with a few others that came up when I searched for "CHAP peer authentication failed." None worked for me, but simply deleting the user account and then re-creating it did.

     

    The user account that wasn't working had been created prior to installing Server / configuring VPN; maybe it has something to do with that. Any new accounts I create work fine but none of the old ones do.

  • by Scott Hannahs,

    Scott Hannahs Scott Hannahs Oct 14, 2013 3:28 PM in response to YUZA-Tom
    Level 1 (0 points)
    Oct 14, 2013 3:28 PM in response to YUZA-Tom

    I have the same CHAP peer authentication failed.  However I don't have the "options" button on the work group manager.  This is only for Active Directory users.  Locally created users have a different password type.

     

    Local users have a "Shadow Password" that has "Options".  The AD users all have a "Crypt Password" as shown below.  How can I allow these AD users to have VPN access and authenticate correctly?

     

    Can AD users be converted to another type of password?  Can this password type work with VPN to get the CHAP authentication correct?

     

     

    Untitled 2.png

  • by the_powerbart,

    the_powerbart the_powerbart Dec 1, 2013 9:46 AM in response to YUZA-Tom
    Level 1 (0 points)
    Dec 1, 2013 9:46 AM in response to YUZA-Tom

    I had the same problem... Banging my head into the wall ...

     

    I tried everything... In the end, I deleted the OpenDirectory store in "Server App" and created a new one...
    And then is was working like chame :-)

     

    Note: The users you are adding, should MAYBE only be "Network users - service only" ...

  • by richosad,

    richosad richosad Dec 4, 2013 2:20 PM in response to the_powerbart
    Level 1 (10 points)
    Dec 4, 2013 2:20 PM in response to the_powerbart

    Thanks for the hint: "Note: The users you are adding, should MAYBE only be "Network users - service only" ...

     

    that solved my problem. See also here at the end of video:

    http://www.youtube.com/watch?v=gG8HcsQuyjI

  • by sirgorash,

    sirgorash sirgorash Jan 22, 2015 1:46 AM in response to YUZA-Tom
    Level 1 (0 points)
    Jan 22, 2015 1:46 AM in response to YUZA-Tom

    Sadly I have to bring this subject up again. I'm experiencing the same problem on the new Yosemite Server the only problem is the work group manager doesnt work in Yosemite:)

  • by zantafio,

    zantafio zantafio Mar 12, 2015 6:12 PM in response to YUZA-Tom
    Level 1 (12 points)
    Mac OS X
    Mar 12, 2015 6:12 PM in response to YUZA-Tom

    I have the same problem. I cannot log in using my admin account: I"m getting the CHAP peer authentication failed error, but if I use a new account to login, the connection works immediately.

  • by John Lockwood,

    John Lockwood John Lockwood Mar 13, 2015 3:31 AM in response to sirgorash
    Level 6 (9,349 points)
    Servers Enterprise
    Mar 13, 2015 3:31 AM in response to sirgorash

    sirgorash wrote:

     

    Sadly I have to bring this subject up again. I'm experiencing the same problem on the new Yosemite Server the only problem is the work group manager doesnt work in Yosemite:)

     

    You can run Workgroup Manager on a Mavericks client and connect to the Yosemite server.

  • by moralec,

    moralec moralec Oct 30, 2015 4:24 AM in response to John Lockwood
    Level 1 (0 points)
    Oct 30, 2015 4:24 AM in response to John Lockwood

    Same issue here since upgrading to El Capitan. Is there a new Workgroup Manager I could use? any alternatives?

Page 1 Next