Radius server on ZyXEL FLEX H with SSL VPN

Recently upgraded to FLEX H series and in same time to WIndows Server 2025. We used to have AD Integration for VPN, so that users could be defined on AD. Classic implementation (TCP389) still works with new FLEX H series combined with SSL and OpenVPN Client.

But as we have to move on to Windows Server 2025, classic LDAP on TCP389 is phased out and now I'm testing Radius with NPS on Windows Server.

It seems my connection works(with certificate etc). But I still receive

Failed login attempt to Device from sslvpn (incorrect password or inexistent username)

In C:\Windows\System32\LogFiles\IN2510.log I get "WS2025","IAS",10/30/2025,11:58:14,1,"user","domain.local/Gebruikers/user",,,,,,"192.168.25.1",11396,0,"192.168.25.1","ZyXEL FLEX 50h",,,5,,,8,1,"Connections to other access servers",0,"311 1 192.168.25.2 10/30/2025 08:33:00 11",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
"WS2025","IAS",10/30/2025,11:58:14,3,,"domain.local/Gebruikers/user",,,,,,,,0,"192.168.25.1","ZyXEL FLEX 50h",,,,,,,1,"Connections to other access servers",65,"311 1 192.168.25.2 10/30/2025 08:33:00 11",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

I tried user@domain , user@domain.local , domain\user and user

But always wrong login/password

created ext-group-user, tried with both DistinguishedName and sAMAccountName, no difference.

Creating a local user on firewall works fine, so SSL VPN connection should be ok.

Not sure if it's now a config issue on flex or server?