diff --git a/Makefile b/Makefile
index af5bc7dcc..90ee7f765 100644
--- a/Makefile
+++ b/Makefile
@@ -166,6 +166,7 @@ CORE_DEPENDS?=		ca_root_nss \
 			php${CORE_PHP}-ldap \
 			php${CORE_PHP}-pdo \
 			php${CORE_PHP}-pecl-radius \
+			php${CORE_PHP}-pear-Crypt_CHAP \
 			php${CORE_PHP}-phalcon \
 			php${CORE_PHP}-phpseclib \
 			php${CORE_PHP}-session \
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
index c3f3bda34..dd62a2284 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
@@ -147,6 +147,31 @@ class Radius extends Base implements IAuthConnector
         }
     }
 
+    /**
+     * retrieve configuration options
+     * @return array
+     */
+    public function getConfigurationOptions()
+    {
+        $options = [];
+        $options['radius_protocol'] = [];
+        $options['radius_protocol']['name'] = gettext('Protocol');
+        $options['radius_protocol']['type'] = 'dropdown';
+        $options['radius_protocol']['default'] = 'PAP';
+        $options['radius_protocol']['options'] = [
+            'PAP' => 'PAP',
+            'MSCHAPv2' => 'MSCHAPv2'
+        ];
+        $options['radius_protocol']['validate'] = function ($value) {
+            if (!in_array($value, ['PAP', 'MSCHAPv2'])) {
+                return [gettext('Invalid protocol specified')];
+            } else {
+                return [];
+            }
+        };
+        return $options;
+    }
+
     /**
      * return session info
      * @return array mixed named list of authentication properties
@@ -423,6 +448,31 @@ class Radius extends Base implements IAuthConnector
                         $error = radius_strerror($radius);
                     }
                     break;
+                case 'MSCHAPv2':
+                    require_once 'Crypt/CHAP.php';
+                    $crpt = new \Crypt_CHAP_MSv2;
+                    $crpt->username = $username;
+                    $crpt->password = $password;
+
+                    $resp = pack(
+                        'CCa16a8a24',
+                        $crpt->chapid,
+                        1,
+                        $crpt->peerChallenge,
+                        str_repeat("\0", 8),
+                        $crpt->challengeResponse()
+                    );
+
+                    if (!radius_put_vendor_attr(
+                        $radius, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $crpt->authChallenge
+                    )) {
+                        $error = radius_strerror($radius);
+                    } elseif (!radius_put_vendor_attr(
+                        $radius, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP2_RESPONSE, $resp
+                    )) {
+                        $error = radius_strerror($radius);
+                    }
+                    break;
                 default:
                     syslog(LOG_ERR, 'Unsupported protocol ' . $this->protocol);
                     return false;