Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco does not support MS-CHAP for vpn authentication

HI all,

I have a cisco 2951 ISR G2 router on which I set up a l2tp/IPSEC vpn server. I was having trouble setting up the vpn and had to call support for helping me out. The problem that the support guy found is that the router or the l2tp vpn server does not support MS-CHAP or MS-CHAPv2 authentication protocol. So, with the router configured to use MS-CHAP or MS-CHAPv2 as the authentication protocol for authenticating vpn users, when an external user tries to connect to the vpn server using Microsoft's inbuilt vpn client, which uses ms-chap and ms-chap v2 for authentication by default, he would not be able to connect and the error message (Error 691) was "vpn server could not authenticate username and password with the authentication method". However, when the  router is configured to use PAP as the authentication method, then vpn connections were successful. The support guy told me MS-CHAP is not supported by Cisco. Has anyone ever come across this issue?

The problem is PAP is an unencrypted protocol and I don't think anybody uses it nowadays..I still can't believe that Cisco does not support MS-CHAP authentication protocols..I would like somebody to tell me that it's not true..

If anyone has ever tried to set up an L2TP/IPSEC vpn server on a Cisco router and use Microsoft's inbuilt vpn client to connect to the server, please help me get a working configuration for the vpn server.

Any help would be greatly appreciated.


Kind regards,


CreatePlease login to create content