IKEv2 VPN with AD authentication problem

nielsscheldeman

Hello,

I've set up an IKEv2 VPN and with local user on FLEX200, this connects fine from Secuextender. Now I want to integrate with AD, so created a user on domain controller with read rights on the security group

AAA Server Active directory setup done, configuration validation with user says OK

Created Authentication method (testauth) and added the AD Profile

Created ext-group-user in Object (TEST_AD-Users), filled in Group Identifier with right security group from AD and entered a test username: OK so far

Changed my IKEv2 Gateway EAP:

• AAA Method: testauth
• Allowed User: TEST_AD-USers

Now I try to connect in tunnel from Secuextender, but I get an EAP authentication failed error

Filled username in as: username also tried username@domain.local and username@domain.

What could be wrong?

Zyxel_Kevin

Hi @nielsscheldeman ,

Greeting Forum.

Please kindly check if you have enable MSCHAPv2 at AD settings.

If the settings are fine. Please share configuration files and packets betwee AD/Firewall by private message

Thank you

smb_corp_user

I am not sure, but reading your log entry, it looks like the authentication process is expecting an Active Directory user name, not Active Directory group name.

I could easily be mistaken. Maybe it is something as simple as making sure that only lowercase name is used, not mixed uppercase/lowercase.

nielsscheldeman

Yes I use the exact same username as configured on the AD, only lowercase.

Zyxel_Kevin

Hi @nielsscheldeman ,

Greeting Forum.

Please kindly check if you have enable MSCHAPv2 at AD settings.

If the settings are fine. Please share configuration files and packets betwee AD/Firewall by private message

Thank you

nielsscheldeman

https://community.zyxel.com/en/discussion/comment/49417#Comment_49417

Thanks! That was what I forgot to fill in.