Issue

When using AuthAnvil RADIUS Server for authentication to VPNs, Firewalls, Routers, or other devices using MSCHAPv2, the temporary password is unable to log the user in. The error log in the AuthAnvil Manager shows "Failed to authenticate user via MSCHAP2". Authentication using your AuthAnvil Passcode (PIN + OTP) works properly.

Cause

MSCHAPv2 encryption secures the authentication in a way that we cannot decrypt and test the contents on the fly. Because of this, there is no capability for us to test: "Is this a temporary password or an AuthAnvil Passcode?" By default, we must assume it is a two-factor authentication code so it is not enabled for checking temporary passwords.

Resolution

Using PAP as the authentication protocol instead of MSCHAPv2 will allow for temporary passwords. 2FA codes will still successfully authenticate via RADIUS but the temporary passwords can be tested as PAP does not apply any additional security on the message.

Affects

All AuthAnvil RADIUS Servers authenticating with MSCHAPv2.

Questions?

If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.