When you configure the firewall to use
server authentication for a particular service (such as Captive Portal), it first tries Challenge-Handshake Authentication Protocol (CHAP) and falls back to Password Authentication Protocol (PAP) if the server rejects the CHAP request. This will happen if, for example, the server doesn’t support CHAP or isn’t configured for CHAP. CHAP is the preferred protocol because it is more secure than PAP. After falling back to PAP for a particular RADIUS server, the firewall uses only PAP in subsequent attempts to authenticate to that server. The firewall records a fall back to PAP as a medium severity event in the System logs. If you modify any fields in the RADIUS server profile and then commit the changes, the firewall reverts to first trying CHAP for that server.