CHAP peer authentication failed
I'm posting this solution as this issue has been cropping up, seemingly at random, for years. I hope others find success with it.
Issue
Since migrating to OS X Server (I first started with Leopard) I've been bugged with an issue: some users have been unable to connect to the VPN.
The issue seemed random; I could connect, as could a couple of my colleagues, but some new users could not.
Trawling the logs, I'd see:
CHAP peer authentication failed for '[user]'.
... where [user] is the short name of a user, e.g. 'jonny.appleseed'.
The issue, in my case, was caused by the password policy which requires new users to change their password on first log-in. Blindingly simple (perhaps why it's not documented anywhere!), but looking through the Google results and discussion boards, it seems to have caused many people much pain.
Steps to Reproduce
1. Create a new user
2. Permit access to VPN
3. Configure VPN settings on client; PPTP or L2TP
4. Try to 'connect'
5. Message: "Authentication Failed" appears on Client; VPN Service log shows "CHAP peer authentication failed for '...' "
Steps to Correct
1. On the server, download 'Workgroup Manager'
You'll find the correct version of Workgroup Manager here: http://support.apple.com/kb/HT1822. For Mountain Lion, you'll need Workgroup Manager 10.8.
2. Open Workgroup Manager, connect to the directory and authenticate as the directory admin
3. From the list of users on the left, select a user who is having trouble connecting to the VPN
4. Select the 'Advanced' tab
5. Click 'Options'
(NB: This will be greyed out if you have not authenticated as the directory admin; click the padlock button in the top-right of Workgroup Manager to authenticate)
6. De-select 'be changed at next login'
Result
This user should now be able to connect to the VPN.
I hope this saves someone else months of frustration.
OS X Server, VPN