I seem to be running into this more & more often;
I have 2 MTs out there running hotspots. One is at our local library & the other runs my entire WISP infrastructure. Both are ver. 2.9.51. (I tried to upgrade the main one many months back to ver 3.x but PPPoE died a horrible death in the process & I've been scared to upgrade ever since - if it ain't broke...)
Anyways, I get calls on a regular basis from our library, & now I'm seeing it on the other MT as well. The problem is that users just can't seem to log in. They enter their username & password & it fails. The log on the MT says "Invalid username or password", but the logs in my Radius server say "Bad Chap Password". I've confirmed on numerous occasions that the username/pass are keyed in correctly, but it just fails. It seems like the CHAP encryption of the password somehow gets scrambled & causes the authentication process to fail. Anyone else seen this or have any solutions?

Monitor /radius monitor <number_of_RADIUS_server>
Check that all packets to the RADIUS server are sent properly.
Perhaps radius timeout is too big or too small.

One MT box has a timeout of 1500ms, the other had a timeout of 800ms. I changed it to 1500ms so they are both consistent. Here are the stats from the primary Radius off one of the boxes:
pending: 0
requests: 213712
accepts: 207408
rejects: 6091
resends: 699
timeouts: 213
bad-replies: 35
last-request-rtt: 50ms

I'm wondering if the users that are failing are the "bad-replies". Statistically, the numbers look pretty good. It's definitely not a timeout issue, the requests are getting logged on the radius server as "bad CHAP password" so something else there is failing. I suspect that it's the user's browser not handling the Javascript MD5 hash routine properly, but I haven't figured out how to test/troubleshoot that.