IKEv2 VPN with AD authentication problem

Options
nielsscheldeman
nielsscheldeman Posts: 44  Freshman Member
First Anniversary 10 Comments Friend Collector
edited March 2023 in Security

Hello,

I've set up an IKEv2 VPN and with local user on FLEX200, this connects fine from Secuextender. Now I want to integrate with AD, so created a user on domain controller with read rights on the security group

AAA Server Active directory setup done, configuration validation with user says OK

Created Authentication method (testauth) and added the AD Profile

Created ext-group-user in Object (TEST_AD-Users), filled in Group Identifier with right security group from AD and entered a test username: OK so far

Changed my IKEv2 Gateway EAP:

  • AAA Method: testauth
  • Allowed User: TEST_AD-USers

Now I try to connect in tunnel from Secuextender, but I get an EAP authentication failed error

Filled username in as: username also tried username@domain.local and username@domain.

What could be wrong?

Accepted Solution

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 814  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023 Answer ✓
    Options

    Hi @nielsscheldeman ,

    Greeting Forum.

    Please kindly check if you have enable MSCHAPv2 at AD settings.

    If the settings are fine. Please share configuration files and packets betwee AD/Firewall by private message

    Thank you

    Share yours now! https://bit.ly/4aO0BMF

    Kevin

All Replies

  • smb_corp_user
    smb_corp_user Posts: 163  Master Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    I am not sure, but reading your log entry, it looks like the authentication process is expecting an Active Directory user name, not Active Directory group name.

    I could easily be mistaken. Maybe it is something as simple as making sure that only lowercase name is used, not mixed uppercase/lowercase.

  • nielsscheldeman
    nielsscheldeman Posts: 44  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options

    Yes I use the exact same username as configured on the AD, only lowercase.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 814  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023 Answer ✓
    Options

    Hi @nielsscheldeman ,

    Greeting Forum.

    Please kindly check if you have enable MSCHAPv2 at AD settings.

    If the settings are fine. Please share configuration files and packets betwee AD/Firewall by private message

    Thank you

    Share yours now! https://bit.ly/4aO0BMF

    Kevin

  • nielsscheldeman
    nielsscheldeman Posts: 44  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options

Security Highlight