CHAP peer authentication failed with 10.6 PPTP VPN

Question

Level 1

0 points

CHAP peer authentication failed with 10.6 PPTP VPN

Moving services from older machines to our new Xserve running 10.6.1 Server. I've set up PPTP VPN, but keep getting authentication errors. I can get in with my server administrator credentials, but OD credentials get "CHAP peer authentication failed" in the vpnd.log Any ideas?

MBP 13" 2009 2.26GHZ, Mac OS X (10.6.1)

Posted on Oct 20, 2009 2:06 PM

Reply

Answer 1

Oct 28, 2009 4:36 PM in response to CamMarshall

Please post the vpn log (/var/log/ppp/vpnd.log). It is probably a 95% chance it is a simple (relatively) fix that has been there since at least 10.3 and the sequence of errors around that message is the key.

Peter

Reply

Answer 2

CamMarshall Author

Level 1

0 points

Oct 30, 2009 11:49 AM in response to Peter Scordamaglia

2009-10-21 10:37:19 CDT Incoming call... Address given to client = {y.y.y.y}
Wed Oct 21 10:37:19 2009 : Directory Services Authentication plugin initialized
Wed Oct 21 10:37:19 2009 : Directory Services Authorization plugin initialized
Wed Oct 21 10:37:19 2009 : PPTP incoming call in progress from '{x.x.x.x}'...
Wed Oct 21 10:37:19 2009 : PPTP connection established.
Wed Oct 21 10:37:19 2009 : using link 0
Wed Oct 21 10:37:19 2009 : Using interface ppp0
Wed Oct 21 10:37:19 2009 : Connect: ppp0 <--> socket[34:17]
Wed Oct 21 10:37:19 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x11115898> <pcomp> <accomp>]
Wed Oct 21 10:37:19 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x5ed3f326> <pcomp> <accomp>]
Wed Oct 21 10:37:19 2009 : lcp_reqci: returning CONFACK.
Wed Oct 21 10:37:19 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x5ed3f326> <pcomp> <accomp>]
Wed Oct 21 10:37:22 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x11115898> <pcomp> <accomp>]
Wed Oct 21 10:37:22 2009 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x11115898> <pcomp> <accomp>]
Wed Oct 21 10:37:22 2009 : sent [LCP EchoReq id=0x0 magic=0x11115898]
Wed Oct 21 10:37:22 2009 : sent [CHAP Challenge id=0xb3 <2e470b6b6c76174f2720006b2d601842>, name = "{z.z.com}"]
Wed Oct 21 10:37:22 2009 : rcvd [LCP EchoReq id=0x0 magic=0x5ed3f326]
Wed Oct 21 10:37:22 2009 : sent [LCP EchoRep id=0x0 magic=0x11115898]
Wed Oct 21 10:37:22 2009 : rcvd [LCP EchoRep id=0x0 magic=0x5ed3f326]
Wed Oct 21 10:37:22 2009 : rcvd [CHAP Response id=0xb3 <e253bbb4d29f16d47e4585a20c179ec000000000000000008cccedf4f479e42e0711aa6967b794 e08396ae5d273bbe0c00>, name = "{username}"]
Wed Oct 21 10:37:22 2009 : sent [CHAP Failure id=0xb3 ""]
Wed Oct 21 10:37:22 2009 : CHAP peer authentication failed for {username}
Wed Oct 21 10:37:22 2009 : sent [LCP TermReq id=0x2 "Authentication failed"]
Wed Oct 21 10:37:22 2009 : Connection terminated.
Wed Oct 21 10:37:22 2009 : PPTP disconnecting...
Wed Oct 21 10:37:22 2009 : PPTP disconnected
2009-10-21 10:37:22 CDT --> Client with address = {y.y.y.y} has hungup

Reply

Answer 3

Oct 30, 2009 6:19 PM in response to CamMarshall

Hmmm... it is not that simple...

Well the log says you made it through the 3 exchanges and it was the server that denied the connection.

I think that means this is an account issue. This seems to be supported by your statement that only the administrator can login via PPTP. Is that account Local or OD? Are you 'securing' access to VPN with ACL's?

Let us try this. Make a new account, do NOT setup anything except the account (Don't fiddle with home dir, mail, account info), make the short name less than 8 char, password also less than 8 characters. Please do not make it an administration account. Put them into group 20 (staff) to start and attempt to login via PPTP.

If that does not work (probably not) then change them to group 80 (admin) and see if that does it. I am wondering if it is some issue with your Crypt database.

Peter

Reply

Answer 4

txturbo

Level 1

0 points

Nov 2, 2009 12:14 PM in response to CamMarshall

Ok... I had the exact same problem.... I tried changing configurations, removing the VPN, changing the authentication methods exct... Nothing worked.

Here is how I fixed it.

In workgroup manager under the short names I had 1 main name and 2 aliases. Originally the VPN was configured to authenticate with one of the aliases. I changed the authentication on the client to match the first (grayed out) short name and it works again.

Reply