If a peer requests a Cisco to authenticate itself with MSCHAPv2 and the Cisco does not support MSCHAPv2 (e.g., in IOS older than ~12.2T) the Cisco will NAK to conventional CHAP even though if it supports MSCHAP. If the peer is not clever enough to suggest MSCHAP then authentication may succeed with conventional CHAP, but subsequent attempts to negotiate MPPE will fail for lack of keying material. (Alternately, the link may simply be terminated because the peer requires some MSCHAP variation but doesn't propose v1.)
Assuming one cannot change the peer's authentication choice ordering is there any way to force the Cisco box to NAK to MSCHAP? All the configuration options appear to deal with the type of authentication that the Cisco will request from the peer and not the reverse.
Dan Lanciani ddl@danlan.*com