When you configure the firewall to use RADIUS server authentication for a particular service (such as Captive Portal), it first tries Challenge-Handshake Authentication Protocol (CHAP) and falls back to Password Authentication Protocol (PAP) if the server rejects the CHAP request. This will happen if, for example, the server doesn’t support CHAP or isn’t configured for CHAP. CHAP is the preferred protocol because it is more secure than PAP. After falling back to PAP for a particular RADIUS server, the firewall uses only PAP in subsequent attempts to authenticate to that server. The firewall records a fall back to PAP as a medium severity event in the System logs. If you modify any fields in the RADIUS server profile and then commit the changes, the firewall reverts to first trying CHAP for that server.
If you want the firewall to always use a specific protocol for authenticating to the RADIUS server, enter the following operational CLI command (the auto option reverts to the default automatic selection):
set authentication radius-auth-type [ auto | chap | pap ]
When configuring a RADIUS server for CHAP, you must define user accounts with reversibly encrypted passwords. Otherwise, CHAP authentication will fail.

Related Documentation