Authentication fails using a Temp Password through RADIUS using MSCHAP2


When using AuthAnvil RADIUS Server for authentication to VPNs, Firewalls, Routers, or other devices using MSCHAPv2, the temporary password is unable to log the user in. The error log in the AuthAnvil Manager shows "Failed to authenticate user via MSCHAP2". Authentication using your AuthAnvil Passcode (PIN + OTP) works properly.


MSCHAPv2 encryption secures the authentication in a way that we cannot decrypt and test the contents on the fly. Because of this, there is no capability for us to test: "Is this a temporary password or an AuthAnvil Passcode?" By default, we must assume it is a two-factor authentication code so it is not enabled for checking temporary passwords.



Using PAP as the authentication protocol instead of MSCHAPv2 will allow for temporary passwords. 2FA codes will still successfully authenticate via RADIUS but the temporary passwords can be tested as PAP does not apply any additional security on the message.



All AuthAnvil RADIUS Servers authenticating with MSCHAPv2.


If you have any questions or need some help, we would be happy to assist. Open a case at or send an email to

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section