USG FLEX 500 VPN Server EAP-MSChapv2 vs EAP-TLS/PEAP on Radius
Freshman Member
Hello,
i've got some trouble setting up remote user connection with certificate instead of user/password, and i don't find much documentation about this on Zyxel networks.
I've setup VPN gateway & tunnel for remote user connection with radius authentification EAP-MSChapv2 successfully, but when i'm trying to change Windows Built-in VPN configuration to use EAP-TLS / PEAP instead of EAP-MSChapv2, connection is never establishing and timed out.
Is it a Zyxel product limitation ? I see on firewall GUI that only MSChapv2 is supported, but i'm wondering if it's also for AAA Radius auth or only USG built-in auth. I saw few doc on AP and 802.11x using EAP-TLS with NXC, but not for USG FLEX itself. (non H version)
The thing is when i switch to EAP-TLS / PEAP the auth is forwarded to my radius server, and Access-Accept is anwsered, like MSChap, but connection never establishing.
On client log i've got an 1931 error, and USG Log doesn't displaying Auth Fail message.
Picture when i'm using EAP-MSChapv2 vs PEAP/EAP-TLS VPN profiles :
On first &second picture, the radius server sent an Access-Accept packet, but USG don't display [AUTH] Recv:[AUTH] when EAP-TLS / PEAP are used.
Thanks for your replies, and every information that could be usefull.
Best Regards.
All Replies
-
Hi @custom01
Could you please help check your client's log? Based on the EAP-TLS process, this seems to indicate that the negotiation between the client and the Radius server is stuck.
Zyxel Melen0 -
Hello,
RasClient log event when i'm using MSChapv2 vs EAP-TLS configuration on Windows client :
20221
20222
20223
20224
20291
20225 -> conn Established20221
20222
20223
20224
20291
20227 -> error 1931In my original post, the firewall seems to not forwarding EAP Success to client, which waiting to start handshake, the radius server is sending Access-Accept in both case.
Could you please confirm that
[AUTH] Recv: AUTH
is related to firewall receiving Access-Accept packet from Radius, else it will be Auth Fail ?
0 -
Hi @custom01,
This is more likely an issue on the client and Radius server. I have searched for some posts related to "IPSec VPN error 1931" on Microsoft and I think you can take this post a look:
Windows VPN doesn't connect, error 1931. Wireshark shows no connection - Microsoft Community
Zyxel Melen0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight
