AD Auth with built-in Windows L2TP client

TAPTech
TAPTech Posts: 165  Master Member
First Anniversary 10 Comments Nebula Gratitude Friend Collector
edited April 2021 in Security

When configuring a USG60 with Active Directory authentication, I can auth using "username" successfully. When configuring the built-in Windows10 L2TP/IPSec client to connect using windows credentials, it is sending "DOMAIN\User" and fails to authenticate. In addition, in the AAA tab in Zyxel, if I test "DOMAIN\User" it fails.

I spoke with tech support and they say that the DOMAIN\User is not supported, which is unfortunate as this would be a great solution for us.

I have good trust in ZYXEL tech, but does anyone know a workaround for this?

All Replies

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @TAPTech

    Here is the example setting to login with domain\name

    After build up L2TP tunnel and setup AD server, go to Configuration > Object > AAA Server > Active Directory > click Add

    Add Domain Authentication for MSChap

    Add Domain Zone

    Go to Configuration > System > DNS > DNS > Domain Zone Forwarder add AD server into it

    Add Domain name

    Go to Configuration > System > Host Name > Host Name

    Then check the status on AD server to see if USG has been joined the domain.


    Here is the related settings on Windows adapter

    The tunnel is using pre-shared key, authentication select( MS-CHAP v2)

    Go to Configuration > VPN > L2TP VPN > L2TP VPN > Allowed User set to any

    Test result :



  • TAPTech
    TAPTech Posts: 165  Master Member
    First Anniversary 10 Comments Nebula Gratitude Friend Collector

    That works! Thank you. I did put a call into tech support and they did not know about this- perhaps you can update the internal documentation? I am US based.

  • PoulK
    PoulK Posts: 1
    First Anniversary
    I've followed the description above and it works perfect for my phone but, when I try to connect from windows 10 I get

    while my phone does as below:

    I came by a post in the knowledgebase suggesting setting radius server to 127.0.0.1 port 1812 and key 1. Unfortunately this does not help.

    Any suggestions much appreciated.

  • CHS
    CHS Posts: 177  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2021
    @PoulK

    If you could login to device by web_portal then it means your configuration on ZyWALL is correct.
    You can check your configuration on your Win10. You can try to only left PAP in L2TP setting. Of course PAP is required in your RADIUS server too.


Security Highlight