It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure MS-CHAP Authentication

  • Last updated on

Use the Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP V2) to authenticate VPN clients over L2TP/PPTP (mutual authentication between peers) or to authenticate HTTP Proxy users. The firewall must join the domain before using MS-CHAP authentication.

Connecting to Read-only Domain Controllers

In addition to the adding the hostname for the Barracuda CloudGen Firewall, you must verify that the password for the user account used in the Helper Scheme is cached on the read-only domain controller.

Before You Begin

  • Enable SMBv2 on the Windows Domain Controller.

Step 1. Configure MS-CHAP Authentication

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service.
  2. In the left menu, select MS-CHAP Authentication.
  3. From the Configuration Mode menu on the left, select Switch to Advanced View.
  4. Click Lock.
  5. Enable MS CHAP as external directory service.
  6. Choose the NTLM protocol version supported by your authentication service.

    When changing the protocol version, a restart of the authentication daemon (phibs) is necessary. Restart the service in CONTROL > Server > Service Status > box.

  7. In the Domain Realm field, enter the name of the Windows domain that is queried by the authenticator.

  8. If the NetBIOS domain name differs from the MS Active Directory domain name, specify the NetBIOS Domain Name.

  9. Enter the MS Active Directory Workgroup Name if the workgroup name is different from the MS Active Directory domain name (Domain Realm).
  10. In the Domain Controller field, enter the IP address of the domain controller.

    If you also configured the MSAD authentication scheme with the Use MSAD-groups with NTLM setting enabled, the Barracuda CloudGen Firewall must be able to resolve the DNS name of the domain controller. (This also applies for the WINS Server IP address.)

  11. In the WINS Server field, enter the IP address of the domain’s Windows Internet Name Service (WINS) server.

  12. If group information is queried from a different authentication scheme, select the scheme from the User Info Helper Scheme list. For example, select MSAD if MS-CHAP is used for identity verification but group information must be queried from MSAD.
  13. Click Send Changes and Activate.

Step 2. Add the Barracuda CloudGen Firewall to a Windows Domain

  1. Go to CONTROL > Box.
  2. In the left menu, expand Domain Control and click Register at Domain.


Verify that the Barracuda CloudGen Firewall is joined to the domain by clicking Show Registration Status in CONTROL > Box > Domain Control.