Radius server on ZyXEL FLEX H with SSL VPN
Ally Member
Recently upgraded to FLEX H series and in same time to WIndows Server 2025. We used to have AD Integration for VPN, so that users could be defined on AD. Classic implementation (TCP389) still works with new FLEX H series combined with SSL and OpenVPN Client.
But as we have to move on to Windows Server 2025, classic LDAP on TCP389 is phased out and now I'm testing Radius with NPS on Windows Server.
It seems my connection works(with certificate etc). But I still receive
Failed login attempt to Device from sslvpn (incorrect password or inexistent username)
In C:\Windows\System32\LogFiles\IN2510.log I get "WS2025","IAS",10/30/2025,11:58:14,1,"user","domain.local/Gebruikers/user",,,,,,"192.168.25.1",11396,0,"192.168.25.1","ZyXEL FLEX 50h",,,5,,,8,1,"Connections to other access servers",0,"311 1 192.168.25.2 10/30/2025 08:33:00 11",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
"WS2025","IAS",10/30/2025,11:58:14,3,,"domain.local/Gebruikers/user",,,,,,,,0,"192.168.25.1","ZyXEL FLEX 50h",,,,,,,1,"Connections to other access servers",65,"311 1 192.168.25.2 10/30/2025 08:33:00 11",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
I tried user@domain , user@domain.local , domain\user and user
But always wrong login/password
created ext-group-user, tried with both DistinguishedName and sAMAccountName, no difference.
Creating a local user on firewall works fine, so SSL VPN connection should be ok.
Not sure if it's now a config issue on flex or server?
All Replies
-
Hi sorry but I can't help you, but if you have time can you explain me how I can have an AD integration on a SSL VPN? In my case the VPN is working but the client can't access a folder on a windows 2012 server of the LAN (in a domain ambient).
0 -
Why not using LDAPs (TCP 636) instead of RADIUS/NPS ?
0 -
Tried to follow that guide too, but something is missing here for me:
I don't have the possibility to enter my username, so tried just the Bind DN, but that's not working.
0 -
0
-
That's weird… In the manual it clearly says, go to LDAP
But ok, Tried now through AD and tested my account and I get Invalid DN Syntax.
I Think it has something to do with my certificate. I've exported it in computer certificates with default settings and imported it in Trusted Certificates.
The Bind user I created in AD I delegated control on OU where my VPN Users group is in.
0 -
Hi @nielsscheldeman,
Thank you for the information. To assist you further, could you please send us a private message with your configuration parameters? This will help us investigate the issue more thoroughly and provide you with an appropriate solution. Also, we appreciate you pointing out the error in our FAQ; we will make the necessary corrections. Thank you!
Zyxel Tina
0 -
So as I have a solution for WS2025/FLEX H, I still want to be able to use Radius, because ZyXEL doesn't have 2FA anymore, I'd like to use our Userlock console for it. This however depends on Radius.
I've been able now to connect the Flex H to Radius server, but only through unencrypted authentication(Chap). Is there a way to enable MS-Chap v2 for authentication? I don't see any option.
Also the other problem why my connection didn't work, was that I specified the Ext-Group-User. I've set it to any now and now I can connect. It's workable because Radius server now Grants or doesn't grant access.
But that means that I cannot set Security Policies on specific groups of users to access Network Resources.
0
Freshman Member
Master Member
Zyxel Employee
Categories
- All Categories
- 442 Beta Program
- 2.9K Nebula
- 211 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.4K Security
- 544 USG FLEX H Series
- 340 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.3K Wireless
- 51 Wireless Ideas
- 6.9K Consumer Product
- 295 Service & License
- 465 News and Release
- 90 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.7K FAQ
- 34 Documents
- 87 About Community
- 99 Security Highlight
