Uncheck "Authenticate Client Certificates" from CLI on USG Flex 500 H

kaika313
kaika313 Posts: 37  Freshman Member
First Comment Friend Collector Sixth Anniversary

Hi,

stupidly I’ve checked "Authenticate Client Certificates" option and now I’m not able to access WEB UI. How can I disable it from CLI (SSH is enabled and working)? Or there’s something else I can do? I’ve also a configuration file before this change was made.

Thank you

Kari

Best Answers

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Answer ✓

    Hi @kaika313,

    Here are the commands to disable "Authenticate Client Certificates".

    usgflex200h> edit running
    usgflex200h running config# vrf main http-server secure-server auth-client false
    usgflex200h running config# commit
    usgflex200h running config# copy running startup
    Overwrite startup configuration? [y/N] y

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • kaika313
    kaika313 Posts: 37  Freshman Member
    First Comment Friend Collector Sixth Anniversary
    edited May 23

    Hi @Zyxel_Emily,

    thank you, this solved my problem.

    I have another issue regarding SSL VPN, there’s no way to make it work. I'm using a custom port because it doesn't allow me to use same HTTPS port. Strange thing is that if I download SSL VPN configuration and use it with OpenVPN it works. If I try tu use SecuExtender (4.0.4) it doesn't work giving me these errors:

    [ 2024/05/23 16:49:15 ][SecuExtender Agent][DETAIL] SecuExtender Helper is connected
    [ 2024/05/23 16:49:15 ][SecuExtender Agent][INFO] [vpn] try to login serverpublicip:4491
    [ 2024/05/23 16:49:15 ][SecuExtender Agent][INFO] Connect to serverpublicip:4491
    [ 2024/05/23 16:49:15 ][SecuExtender Agent][INFO] Local address is localaddress
    [ 2024/05/23 16:49:16 ][SecuExtender Agent][DEBUG] Connect success.
    [ 2024/05/23 16:49:16 ][SecuExtender Agent][DETAIL] Handshake LoopCounter: 0
    [ 2024/05/23 16:49:16 ][SecuExtender Agent][ERROR] Server unexpectedly disconnected (0x0)
    [ 2024/05/23 16:49:16 ][SecuExtender Agent][ERROR] Error 0x80090301 querying connection info: SECPKG_ATTR_STREAM_SIZES (0x6)
    [ 2024/05/23 16:49:16 ][SecuExtender Agent][ERROR] SSL Handshake failed. (0x6)
    [ 2024/05/23 16:49:16 ][SecuExtender Agent][ERROR] Failed to connect to device(1) (0x6)
    [ 2024/05/23 16:49:16 ][SecuExtender Agent][ERROR] user login device failed (0x6)
    [ 2024/05/23 16:49:16 ][SecuExtender Agent][DEBUG] SSL Connection is going to be closed
    [ 2024/05/23 16:49:16 ][SecuExtender Agent][DETAIL] Connection ends.

    What I'm doing wrong?

    I remember when using the previous USG40 firewall that the same problem occurred but then I was able to use same HTTPS port even if different from standard 443 and it worked. Now, using different port for HTTPS and SSL VPN it won't. Why?

    Thank you

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 23 Answer ✓

    you can't use SecuExtender SSL_VPN_Client_4.0.5.0 on H models their is
    IPSec_SSL_VPN_7.7.40.019(subscription_based) or

    https://openvpn.net/community-downloads/

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @kaika313,

    As PeterUK said, you need to use IPSec_SSL_VPN_7.7.40.019 (Windows) to establish SSL VPN to USG FLEX H.

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community