10 Replies Latest reply: Dec 4, 2013 2:20 PM by richosad
YUZA-Tom Level 1 Level 1 (0 points)

I'm posting this solution as this issue has been cropping up, seemingly at random, for years. I hope others find success with it.

 

Issue

Since migrating to OS X Server (I first started with Leopard) I've been bugged with an issue: some users have been unable to connect to the VPN.

 

The issue seemed random; I could connect, as could a couple of my colleagues, but some new users could not.

 

Trawling the logs, I'd see:

 

CHAP peer authentication failed for '[user]'.

 

... where [user] is the short name of a user, e.g. 'jonny.appleseed'.

 

The issue, in my case, was caused by the password policy which requires new users to change their password on first log-in. Blindingly simple (perhaps why it's not documented anywhere!), but looking through the Google results and discussion boards, it seems to have caused many people much pain.


 

Steps to Reproduce

1. Create a new user

2. Permit access to VPN

3. Configure VPN settings on client; PPTP or L2TP

4. Try to 'connect'

5. Message: "Authentication Failed" appears on Client; VPN Service log shows "CHAP peer authentication failed for '...' "

 

 

Steps to Correct

1. On the server, download 'Workgroup Manager'

You'll find the correct version of Workgroup Manager here: http://support.apple.com/kb/HT1822. For Mountain Lion, you'll need Workgroup Manager 10.8.

 

2. Open Workgroup Manager, connect to the directory and authenticate as the directory admin

 

3. From the list of users on the left, select a user who is having trouble connecting to the VPN

 

4. Select the 'Advanced' tab

 

5. Click 'Options'

(NB: This will be greyed out if you have not authenticated as the directory admin; click the padlock button in the top-right of Workgroup Manager to authenticate)

 

6. De-select 'be changed at next login'

Screen Shot 2013-06-20 at 16.49.35.png

 

Result

This user should now be able to connect to the VPN.

 

 

I hope this saves someone else months of frustration.


OS X Server, VPN
  • 1. Re: CHAP peer authentication failed
    cspearsall Level 1 Level 1 (0 points)

    First of all, thank you for posting this.  I hope when I get to this point it actually works.  However I am stuck at not being able to open the Options window even after I authenticate.  Not sure what the problem is!!Screen Shot 2013-07-03 at 2.13.44 PM.png

  • 2. Re: CHAP peer authentication failed
    enokoner Level 1 Level 1 (0 points)

    I'm running into the same problem. Will post, if I figure it out.

  • 3. Re: CHAP peer authentication failed
    enokoner Level 1 Level 1 (0 points)

    I figured it  out. You have to create user from Profile Manager not from the the Server app.  From here the options button was enabled. However, when it opended up tghe dialog box 'be changed at next login' was already unchecked. I tried logging in as this user and got the same error. 

     

    Unsupported protocol 0x8057 received

    MPPE required but peer negotiation failed

  • 4. Re: CHAP peer authentication failed
    enokoner Level 1 Level 1 (0 points)

    I got L2TP  working! From my 3g iphone!

     

    Steps

    1. System Preferences ---> Network

    2. Click ' +'  to add a new service

    3. Select Ethernet for Interface. Name it something like 'VPN Access'

    4. Select a new ip in a range that will not be used by the VPN client. Server sets the range for clients above 31. I chose 25 randomly.

    5.  Go to the server applicatio.---> Edit under DNS Settings

    6. Chane the name server to the address you chose. 

    7. Restart and it should work. 

  • 5. Re: CHAP peer authentication failed
    AdamShaw Level 1 Level 1 (5 points)

    Thank you, this solved my problem and saved me a lot of time!

     

    But I also found, as enkoner said, that the user needed to be created in the Workgroup Manager and not in the Server App.

  • 6. Re: CHAP peer authentication failed
    d.hamann Level 1 Level 1 (0 points)

    Thanks for this description, YUZA-Tom. I had the exact same problem and have it fixed now.

     

    @AdamShaw: I could create the user in the Server App – worked just fine.

  • 7. Re: CHAP peer authentication failed
    lh99 Level 1 Level 1 (0 points)

    I tried this fix along with a few others that came up when I searched for "CHAP peer authentication failed." None worked for me, but simply deleting the user account and then re-creating it did.

     

    The user account that wasn't working had been created prior to installing Server / configuring VPN; maybe it has something to do with that. Any new accounts I create work fine but none of the old ones do.

  • 8. Re: CHAP peer authentication failed
    Scott Hannahs Level 1 Level 1 (0 points)

    I have the same CHAP peer authentication failed.  However I don't have the "options" button on the work group manager.  This is only for Active Directory users.  Locally created users have a different password type.

     

    Local users have a "Shadow Password" that has "Options".  The AD users all have a "Crypt Password" as shown below.  How can I allow these AD users to have VPN access and authenticate correctly?

     

    Can AD users be converted to another type of password?  Can this password type work with VPN to get the CHAP authentication correct?

     

     

    Untitled 2.png

  • 9. Re: CHAP peer authentication failed
    the_powerbart Level 1 Level 1 (0 points)

    I had the same problem... Banging my head into the wall ...

     

    I tried everything... In the end, I deleted the OpenDirectory store in "Server App" and created a new one...
    And then is was working like chame :-)

     

    Note: The users you are adding, should MAYBE only be "Network users - service only" ...

  • 10. Re: CHAP peer authentication failed
    richosad Level 1 Level 1 (0 points)

    Thanks for the hint: "Note: The users you are adding, should MAYBE only be "Network users - service only" ...

     

    that solved my problem. See also here at the end of video:

    http://www.youtube.com/watch?v=gG8HcsQuyjI