VPN login with Zyxel VPN IPSec Client (EAP Popup activated) dows not work with AD User

grokit
grokit Posts: 18  Freshman Member
First Comment Friend Collector
edited April 2021 in Security
Anyone has a hint for me?

I have configured AD with a ZyWALL110 and the same also with a USG310. All AD User Tests work fine. Login on USG/ZW for Domain Users work great. Also Configuration Provisioning with domain user is working fine. 

The Problem starts when I use EAP (EAP Popup activated) on the Zyxel Client. The Problem is the same on bith, the ZyWALL110 and the USG310.

Problem 1: If I use a local fw user, VPN connection works exactly 1 times. Second and further connection attempts fail. No error in Firewall Log, but a strange error in Client log: "No user certificate available for the connexion2"
Yet, if I do an IKE Reset on the client, VPN connection works again (once).
If I enter the EAP in the client (hence, EAP Popup deactivated), login to VPN works every time!

Problem 2: If I use a domain user, the VPN will not connect at all (never).
Error on firewall: "AUTH fail!".
Error on Client: "Remote endpoint sent EAP FAILURE code"

Remark: if I enable and configure "Domain Authentication for MSChap", the first attempt with local user fails too.


Anyone has an idea?

Dan


USG310: V4.25(AAPJ.1) / 2017-07-13 11:08:08 (please do not tell me to upgrade FW. I know, but I cannot upgrade due to another unsolved issue)
ZyWALL 110: V4.25(AAPJ.1) / 2017-07-13 11:08:08

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,376  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @grokit,

     

    EAP Popup activated => Does it mean X-Auth on ZyWALL IPSec VPN client?

    We need more information to check this issue including the configuration file of USG and the tgb file for ZyWALL IPSec VPN client.

    The required information will be sent in the private message.


Security Highlight