Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: YUZA-Tom
YUZA-Tom Author
User level: Level 1
0 points

CHAP peer authentication failed

I'm posting this solution as this issue has been cropping up, seemingly at random, for years. I hope others find success with it.


Issue

Since migrating to OS X Server (I first started with Leopard) I've been bugged with an issue: some users have been unable to connect to the VPN.


The issue seemed random; I could connect, as could a couple of my colleagues, but some new users could not.


Trawling the logs, I'd see:


CHAP peer authentication failed for '[user]'.


... where [user] is the short name of a user, e.g. 'jonny.appleseed'.


The issue, in my case, was caused by the password policy which requires new users to change their password on first log-in. Blindingly simple (perhaps why it's not documented anywhere!), but looking through the Google results and discussion boards, it seems to have caused many people much pain.


Steps to Reproduce

1. Create a new user

2. Permit access to VPN

3. Configure VPN settings on client; PPTP or L2TP

4. Try to 'connect'

5. Message: "Authentication Failed" appears on Client; VPN Service log shows "CHAP peer authentication failed for '...' "



Steps to Correct

1. On the server, download 'Workgroup Manager'

You'll find the correct version of Workgroup Manager here: http://support.apple.com/kb/HT1822. For Mountain Lion, you'll need Workgroup Manager 10.8.


2. Open Workgroup Manager, connect to the directory and authenticate as the directory admin


3. From the list of users on the left, select a user who is having trouble connecting to the VPN


4. Select the 'Advanced' tab


5. Click 'Options'

(NB: This will be greyed out if you have not authenticated as the directory admin; click the padlock button in the top-right of Workgroup Manager to authenticate)


6. De-select 'be changed at next login'

User uploaded file


Result

This user should now be able to connect to the VPN.



I hope this saves someone else months of frustration.

OS X Server, VPN

Posted on Jun 20, 2013 8:58 AM

Reply
19 replies
User profile for user: moralec
moralec
User level: Level 1
0 points

Oct 30, 2015 5:24 AM in response to John Lockwood

Thank you John for the response. I managed to install the workgroup manager using Pacifist, and tried the solution suggested above. Unfortunately: no luck. With old, new, network and local accounts, the server shows an authentication failure:


Fri Oct 30 12:21:21 2015 : rcvd [CHAP Response id=0xc6 <a06af14569916fe00d22363b215251140000000000000000c592ccb1ea30f759e6b7db4907e5a8 0a2bd1432024014faa00>, name = "vpnuser"]

Fri Oct 30 12:21:21 2015 : Warning - secret file /etc/ppp/chap-secrets has world and/or group access

Fri Oct 30 12:21:21 2015 : sent [CHAP Failure id=0xc6 "E=691 R=1 C=2b6a7b397a4d0670693a2c757208497a V=0 M=Access denied"]

Fri Oct 30 12:21:21 2015 : CHAP peer authentication failed for vpnuser

Fri Oct 30 12:21:21 2015 : sent [LCP TermReq id=0x2 "Authentication failed"]

Fri Oct 30 12:21:21 2015 : Connection terminated.

Fri Oct 30 12:21:21 2015 : L2TP disconnecting...

Fri Oct 30 12:21:21 2015 : L2TP sent CDN

Fri Oct 30 12:21:21 2015 : L2TP sent StopCCN

Fri Oct 30 12:21:21 2015 : L2TP disconnected

2015-10-30 12:21:21 GMT --> Client with address = 192.168.1.224 has hungup



Maybe something to do with permissions in /etc/ppp/chap-secrets?

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Oct 30, 2015 5:55 AM in response to moralec

While it is complaining about permissions on the chap-secrets file it seems to be saying they are too open rather than too restrictive so while it might not be completely correct I do not believe that is the real issue.


I have to say I long ago gave up on Apple's VPN server. These days it is far too dated and hence both weak from a security point of view and unable to do modern things like SSL certificates and VPN-on-Demand.


A last thing to try might be to use the servers own admin account to try connecting, this is obviously not going to be practical for ongoing use but it might help narrow things down.

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Oct 30, 2015 9:24 AM in response to moralec

I mainly use StrongSwan5 running in a Linux virtual machine. I have it configured to operate as a Cisco IPSec compatible VPN server along with using SSL certificates and also have it able to authenticate users to Open Directory via LDAP although currently I have that aspect turned off and just use SSL certificates. This works using both Mac and iOS built-in VPN clients.


I also have an L2TP VPN server running in our SonicWALL Firewall and this is setup much more like Apple's VPN server i.e. using L2TP, CHAP, and no SSL certificates, it also authenticates to Open Directory via LDAP.


Note: SonicWALL Firewalls use IPSec to do site-to-site links but do it in such a way that it is not compatible with Apple's built-in Cisco IPSec client. I am aware that there are third-party VPN clients for the Mac which would be compatible with the SonicWALL such as IPSecuritas, VPN Tracker, and of course SonicWALL's own one, but I specifically want to use Apple's own built-in VPN client because I am fed up with third-party ones breaking each time Apple update their operating system. There is also a complex issue regarding usernames and passwords and MDM systems which I was able to get round in a way I was happy with by using StrongSwan5 which I probably would not have been able to with the SonicWALL.

Reply

CHAP peer authentication failed

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up