Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


PPTP VPN on 877 - Cannot authenticate using MS-CHAP/MS-CHAP-V2

Hi everyone,

I would be very grateful if you could help me to solve this little problem:

I need to establish PPTP VPN to 877 modem/router from Internet.

The VPN client is a Windows XP standard VPN client.

I configured the router basing on the document:

"Configuring the Cisco Router and VPN Clients Using PPTP and MPPE"

And... It works quite nice BUT only when I use PAP protocol to authenticate the user.

When I try to use 'MS-CHAP' or 'MS-CHAP v2' I get error 691 on the client side

("Access was denied because the username an/or password was invalid on the doman.")

and on the router in the debuging log I can see the following:

105556: Oct 23 09:31:46.425 PCTime: ppp615 PPP: Phase is AUTHENTICATING, Unauthenticated User

105557: Oct 23 09:31:46.425 PCTime: AAA/AUTHEN/PPP (0000013F): Pick method list 'default'

105558: Oct 23 09:31:46.425 PCTime: ppp615 PPP: Sent MSCHAP_V2 LOGIN Request

105559: Oct 23 09:31:46.433 PCTime: ppp615 PPP: Received LOGIN Response FAIL

105560: Oct 23 09:31:46.433 PCTime: ppp615 MS-CHAP-V2: O FAILURE id 1 len 13 msg is "E=691 R=0"

105561: Oct 23 09:31:46.433 PCTime: ppp615 PPP: Sending Acct Event[Down] id[13F]

105562: Oct 23 09:31:46.437 PCTime: ppp615 PPP: Phase is TERMINATING

Could enyone help me find where I have made a mistake in the configuration?

The running config of the router is attached.




if you set the PC authentication protocols for Shiva PAP (SPAP) and Microsoft Challenge Authentication Protocol (MS-CHAP) version 2 (when the router is unable to do version 2), and you set the router for CHAP, then the debug ppp negotiation command on the router displays this output.

04:30:55: Vi1 LCP: Failed to negotiate with peer


but it looks like the answer is not completely related to my problem.

The 877 is unable to do version 2 (from what I know) and I have tried to connect having both the router and the PC set to use only MS-CHAP or MS-CHAP-V2 and still couldn't connect.


Problem resolved:

After spending some time on the phone with Cisco TAC it appeared that passwords for users that authenticate for PPTP VPN access could not be secret ones.

Funny is , that I couldn't find such trivial information anywhere...


Wow! THANKS! I've finally found this as a solution to a long time problem and this is NOWHERE in the docs or anyplace. So, to help with future searches... PPTP on an IOS router using LOCAL AUTHENTICATION will fail when using encrypted secrets rather than regular passwords. Thanks soooo much for this.


Even after 7 years this is a relevant and needed info, that saved me from a countless hours of debugging. Starred 5!

This helpped me as well. Thanks! This (among other things) should get documented better by Cisco.


Byte solutions, Inc.

Byte Solutions, Managed Computer Services 561.338.9696
Content for Community-Ad