VyOS + Radius + DUO + Active Directory Issue with MS-CHAPv2

I want to setup VyOS to act as our Remote VPN access appliance.

I currently have ipsec + l2tp configured to allow remote client VPN connections. Local authentication on the VyOS works great.

However, I want to enable radius authentication and point it to a DUO Radius Server that authenticates with Active Directory + DUO 2FA on the back end.

I have it all setup but running into an issue. The log as shown on the DUO radius server is this:

Primary credentials rejected - No password

I reach out to DUO support and this is what the said:

The error “Primary credentials rejected - No password” error appears and Primary authentication will fail if the appliance has the Password Management feature enabled, as this causes the credentials to be sent in MS-CHAPv2. Our [Duo for Cisco Firepower] involves configuration of a Duo Authentication Proxy, which expects this data to be sent in PAP.

How can I configure VyOS to authenticate via Radius and:

  • Not send credentials in MS-CHAPv2
  • Send credentials in PAP


Maybe this can help you

vyos@vyos# set vpn l2tp remote-access authentication require
Possible completions:
   pap                  Require the peer to authenticate itself using PAP [Password Authentication Protocol].
   chap                 Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol].
   mschap               Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol].
   mschap-v2            Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2].

Very helpful, thanks! I will test and report back with the results.

I was able to get it to work by running this VPN client EXE on the Windows client:


And setting Security → Allow these protocols → Unencrypted password (PAP) - CHECK THIS OPTION

However, from the description it seems that passwords will be sent clear text. No bueno. I am working with DUO to see if there is another work around other than adding an NPS server in addition to the DUO Radius Proxy. I am trying to not get into an NPS install unless that is my only option.

As for VyOS, it seems to just be the middle man here and where I need to focus is on the VPN client settings and the DUO Radius Proxy and/or NPS if that ends up being the final solution.

Thanks again for your help!