AD Auth with built-in Windows L2TP client

TAPTech
TAPTech Posts: 167  Master Member
First Comment Friend Collector Sixth Anniversary Nebula Gratitude
edited April 2021 in Security

When configuring a USG60 with Active Directory authentication, I can auth using "username" successfully. When configuring the built-in Windows10 L2TP/IPSec client to connect using windows credentials, it is sending "DOMAIN\User" and fails to authenticate. In addition, in the AAA tab in Zyxel, if I test "DOMAIN\User" it fails.

I spoke with tech support and they say that the DOMAIN\User is not supported, which is unfortunate as this would be a great solution for us.

I have good trust in ZYXEL tech, but does anyone know a workaround for this?

All Replies

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,271  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments

    Hi @TAPTech

    Here is the example setting to login with domain\name

    After build up L2TP tunnel and setup AD server, go to Configuration > Object > AAA Server > Active Directory > click Add

    Add Domain Authentication for MSChap

    Add Domain Zone

    Go to Configuration > System > DNS > DNS > Domain Zone Forwarder add AD server into it

    Add Domain name

    Go to Configuration > System > Host Name > Host Name

    Then check the status on AD server to see if USG has been joined the domain.


    Here is the related settings on Windows adapter

    The tunnel is using pre-shared key, authentication select( MS-CHAP v2)

    Go to Configuration > VPN > L2TP VPN > L2TP VPN > Allowed User set to any

    Test result :



    Engage in the Community, become an MVP, and win exclusive prizes!

  • TAPTech
    TAPTech Posts: 167  Master Member
    First Comment Friend Collector Sixth Anniversary Nebula Gratitude

    That works! Thank you. I did put a call into tech support and they did not know about this- perhaps you can update the internal documentation? I am US based.

  • PoulK
    PoulK Posts: 1
    First Anniversary
    I've followed the description above and it works perfect for my phone but, when I try to connect from windows 10 I get

    while my phone does as below:

    I came by a post in the knowledgebase suggesting setting radius server to 127.0.0.1 port 1812 and key 1. Unfortunately this does not help.

    Any suggestions much appreciated.

  • CHS
    CHS Posts: 181  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited July 2021
    @PoulK

    If you could login to device by web_portal then it means your configuration on ZyWALL is correct.
    You can check your configuration on your Win10. You can try to only left PAP in L2TP setting. Of course PAP is required in your RADIUS server too.


Security Highlight