Generally, if the configuration of keys for BAS and RADIUS is not identical, the RADIUS packet authenticators will not be identical yet, and RADIUS should not respond to such a packet. However, some RADIUS servers don't check up the packet authenticator, so they could respond the RADIUS packets although the keys are not identical. So although the display command shows that radius-server has been up, it cannot ensure that each parameter in MA5200 configured by RADIUS agrees with that at RADIUS server. At this point, we should make sure if these parameters are configured correctly. PAP authentication is very sensitive to such a problem, because it uses the RADIUS key configured at both BAS and RADIUS for the encryption between both of them. So if the configurations of both sides are not identical, RADIUS will respond with invalid user password, though it arises from diversity in keys at both sides. It is very simple to address the problem. We could revise it to CHAP mode since the challenge used in encryption of CHAP is generated by BAS, and advertised to the client and RADIUS, which could avoid that the cryptographs calculated out are not identical due to the problem of configuration. If the same account password could pass CHAP authentication, and PAP prompts invalid password, it mainly arises from the diversity in configuration of RADIUS at both sides.