Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

CHAP peer authentication failed

I'm posting this solution as this issue has been cropping up, seemingly at random, for years. I hope others find success with it.


Issue

Since migrating to OS X Server (I first started with Leopard) I've been bugged with an issue: some users have been unable to connect to the VPN.


The issue seemed random; I could connect, as could a couple of my colleagues, but some new users could not.


Trawling the logs, I'd see:


CHAP peer authentication failed for '[user]'.


... where [user] is the short name of a user, e.g. 'jonny.appleseed'.


The issue, in my case, was caused by the password policy which requires new users to change their password on first log-in. Blindingly simple (perhaps why it's not documented anywhere!), but looking through the Google results and discussion boards, it seems to have caused many people much pain.


Steps to Reproduce

1. Create a new user

2. Permit access to VPN

3. Configure VPN settings on client; PPTP or L2TP

4. Try to 'connect'

5. Message: "Authentication Failed" appears on Client; VPN Service log shows "CHAP peer authentication failed for '...' "



Steps to Correct

1. On the server, download 'Workgroup Manager'

You'll find the correct version of Workgroup Manager here: http://support.apple.com/kb/HT1822. For Mountain Lion, you'll need Workgroup Manager 10.8.


2. Open Workgroup Manager, connect to the directory and authenticate as the directory admin


3. From the list of users on the left, select a user who is having trouble connecting to the VPN


4. Select the 'Advanced' tab


5. Click 'Options'

(NB: This will be greyed out if you have not authenticated as the directory admin; click the padlock button in the top-right of Workgroup Manager to authenticate)


6. De-select 'be changed at next login'

User uploaded file


Result

This user should now be able to connect to the VPN.



I hope this saves someone else months of frustration.

OS X Server, VPN

Posted on Jun 20, 2013 8:58 AM

Reply
19 replies

Jul 7, 2013 1:47 PM in response to cspearsall

I figured it out. You have to create user from Profile Manager not from the the Server app. From here the options button was enabled. However, when it opended up tghe dialog box 'be changed at next login' was already unchecked. I tried logging in as this user and got the same error.


Unsupported protocol 0x8057 received

MPPE required but peer negotiation failed

Jul 7, 2013 2:11 PM in response to enokoner

I got L2TP working! From my 3g iphone!


Steps

1. System Preferences ---> Network

2. Click ' +' to add a new service

3. Select Ethernet for Interface. Name it something like 'VPN Access'

4. Select a new ip in a range that will not be used by the VPN client. Server sets the range for clients above 31. I chose 25 randomly.

5. Go to the server applicatio.---> Edit under DNS Settings

6. Chane the name server to the address you chose.

7. Restart and it should work.

Oct 14, 2013 1:02 PM in response to YUZA-Tom

I tried this fix along with a few others that came up when I searched for "CHAP peer authentication failed." None worked for me, but simply deleting the user account and then re-creating it did.


The user account that wasn't working had been created prior to installing Server / configuring VPN; maybe it has something to do with that. Any new accounts I create work fine but none of the old ones do.

Oct 14, 2013 3:28 PM in response to YUZA-Tom

I have the same CHAP peer authentication failed. However I don't have the "options" button on the work group manager. This is only for Active Directory users. Locally created users have a different password type.


Local users have a "Shadow Password" that has "Options". The AD users all have a "Crypt Password" as shown below. How can I allow these AD users to have VPN access and authenticate correctly?


Can AD users be converted to another type of password? Can this password type work with VPN to get the CHAP authentication correct?


User uploaded file


User uploaded fileUser uploaded file

Oct 30, 2015 4:57 AM in response to moralec

moralec wrote:


Same issue here since upgrading to El Capitan. Is there a new Workgroup Manager I could use? any alternatives?


I have not tried it under El Capitan but contrary to what Apple were originally implying Workgroup Manager 10.9 did and does work fine under Yosemite. The installer would not do an install on Yosemite but if you copied the Workgroup Manager application from a Mavericks machine to a Yosemite machine it did work. I suspect the same will still apply for El Capitan. Likewise a Mavericks machine running Workgroup Manager should still be able to connect to an El Capitan Open Directory server.


If you do not have an Mavericks machine to install it on and copy it from, then try using Pacifist to force-install it on El Capitan.

CHAP peer authentication failed

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.