I needed two factor authentication working for our VPN service. So I pointed our OS X Server at our RSA SecurID Appliances. I kept seeing MSCHAP info in the logs on the appliance and found out from their support that it was rejecting the request because of it.
From the Server Admin tool to manage OS X Server there is not a way to choose anything else. I finally found that I could change it from MSCHAPv2 over to PAP by editing the following file:
/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
Find the string `MSCHAP2' and replace it with `PAP'. Keep in mind that this will not persist. If you edit the VPN settings in Server Admin it will overwrite this change. After you make this change restart the VPN service.
So this:
<key>AuthenticatorProtocol</key> <array> <string>MSCHAP2</string> <array>
Becomes this:
<key>AuthenticatorProtocol</key> <array> <string>PAP</string> <array>
Restart the VPN service in Server Admin.
The next issue I ran into was, my users did not exist in any Directory Service that the OS X Server was tied to. I had the VPN Service ACL (SACL) set to allow all users, but that was not enough. I couldn't find out anything about disabling it, even after calling Apple Support. Later an idea struck me, I looked in the VPN config file again (com.apple.RemoteAccessServers.plist). There I found a configuration option for the SACL or DSACL as it is called in that file. In there I found it and disabled it by just removing the value in the string like so:
<key>AuthenticatorACLPlugins</key> <array> <string>DSACL</string> <array>
Becomes this:
<key>AuthenticatorACLPlugins</key> <array> <string></string> <array>
Restart the VPN service in Server Admin.
