Previous 1 2 Next 19 Replies Latest reply: Oct 30, 2015 9:24 AM by John Lockwood
YUZA-Tom Level 1 (0 points)

I'm posting this solution as this issue has been cropping up, seemingly at random, for years. I hope others find success with it.



Since migrating to OS X Server (I first started with Leopard) I've been bugged with an issue: some users have been unable to connect to the VPN.


The issue seemed random; I could connect, as could a couple of my colleagues, but some new users could not.


Trawling the logs, I'd see:


CHAP peer authentication failed for '[user]'.


... where [user] is the short name of a user, e.g. 'jonny.appleseed'.


The issue, in my case, was caused by the password policy which requires new users to change their password on first log-in. Blindingly simple (perhaps why it's not documented anywhere!), but looking through the Google results and discussion boards, it seems to have caused many people much pain.


Steps to Reproduce

1. Create a new user

2. Permit access to VPN

3. Configure VPN settings on client; PPTP or L2TP

4. Try to 'connect'

5. Message: "Authentication Failed" appears on Client; VPN Service log shows "CHAP peer authentication failed for '...' "



Steps to Correct

1. On the server, download 'Workgroup Manager'

You'll find the correct version of Workgroup Manager here: For Mountain Lion, you'll need Workgroup Manager 10.8.


2. Open Workgroup Manager, connect to the directory and authenticate as the directory admin


3. From the list of users on the left, select a user who is having trouble connecting to the VPN


4. Select the 'Advanced' tab


5. Click 'Options'

(NB: This will be greyed out if you have not authenticated as the directory admin; click the padlock button in the top-right of Workgroup Manager to authenticate)


6. De-select 'be changed at next login'

Screen Shot 2013-06-20 at 16.49.35.png



This user should now be able to connect to the VPN.



I hope this saves someone else months of frustration.

OS X Server, VPN
  • cspearsall Level 1 (0 points)

    First of all, thank you for posting this.  I hope when I get to this point it actually works.  However I am stuck at not being able to open the Options window even after I authenticate.  Not sure what the problem is!!Screen Shot 2013-07-03 at 2.13.44 PM.png

  • enokoner Level 1 (0 points)

    I'm running into the same problem. Will post, if I figure it out.

  • enokoner Level 1 (0 points)

    I figured it  out. You have to create user from Profile Manager not from the the Server app.  From here the options button was enabled. However, when it opended up tghe dialog box 'be changed at next login' was already unchecked. I tried logging in as this user and got the same error. 


    Unsupported protocol 0x8057 received

    MPPE required but peer negotiation failed

  • enokoner Level 1 (0 points)

    I got L2TP  working! From my 3g iphone!



    1. System Preferences ---> Network

    2. Click ' +'  to add a new service

    3. Select Ethernet for Interface. Name it something like 'VPN Access'

    4. Select a new ip in a range that will not be used by the VPN client. Server sets the range for clients above 31. I chose 25 randomly.

    5.  Go to the server applicatio.---> Edit under DNS Settings

    6. Chane the name server to the address you chose. 

    7. Restart and it should work. 

  • AdamShaw Level 1 (5 points)

    Thank you, this solved my problem and saved me a lot of time!


    But I also found, as enkoner said, that the user needed to be created in the Workgroup Manager and not in the Server App.

  • d.hamann Level 1 (0 points)

    Thanks for this description, YUZA-Tom. I had the exact same problem and have it fixed now.


    @AdamShaw: I could create the user in the Server App – worked just fine.

  • lh99 Level 1 (0 points)

    I tried this fix along with a few others that came up when I searched for "CHAP peer authentication failed." None worked for me, but simply deleting the user account and then re-creating it did.


    The user account that wasn't working had been created prior to installing Server / configuring VPN; maybe it has something to do with that. Any new accounts I create work fine but none of the old ones do.

  • Scott Hannahs Level 1 (0 points)

    I have the same CHAP peer authentication failed.  However I don't have the "options" button on the work group manager.  This is only for Active Directory users.  Locally created users have a different password type.


    Local users have a "Shadow Password" that has "Options".  The AD users all have a "Crypt Password" as shown below.  How can I allow these AD users to have VPN access and authenticate correctly?


    Can AD users be converted to another type of password?  Can this password type work with VPN to get the CHAP authentication correct?



    Untitled 2.png

  • the_powerbart Level 1 (0 points)

    I had the same problem... Banging my head into the wall ...


    I tried everything... In the end, I deleted the OpenDirectory store in "Server App" and created a new one...
    And then is was working like chame :-)


    Note: The users you are adding, should MAYBE only be "Network users - service only" ...

  • richosad Level 1 (10 points)

    Thanks for the hint: "Note: The users you are adding, should MAYBE only be "Network users - service only" ...


    that solved my problem. See also here at the end of video:

  • sirgorash Level 1 (0 points)

    Sadly I have to bring this subject up again. I'm experiencing the same problem on the new Yosemite Server the only problem is the work group manager doesnt work in Yosemite:)

  • zantafio Level 1 (0 points)

    I have the same problem. I cannot log in using my admin account: I"m getting the CHAP peer authentication failed error, but if I use a new account to login, the connection works immediately.

  • John Lockwood Level 5 (7,661 points)

    sirgorash wrote:


    Sadly I have to bring this subject up again. I'm experiencing the same problem on the new Yosemite Server the only problem is the work group manager doesnt work in Yosemite:)


    You can run Workgroup Manager on a Mavericks client and connect to the Yosemite server.

  • moralec Level 1 (0 points)

    Same issue here since upgrading to El Capitan. Is there a new Workgroup Manager I could use? any alternatives?

Previous 1 2 Next