Zyxel Firewall Authentication Compatibility with Windows Server 2025

With the upcoming changes introduced in Microsoft Windows Server 2025, NTLM authentication support has been deprecated in favor of more modern and secure authentication protocols. As a result, authentication methods relying on MSCHAPv2—such as those used in Active Directory (AD) and RADIUS environments—may experience compatibility issues when interfacing with Zyxel firewall appliances running current firmware versions.

Note: As of April 2025, Windows Server 2025 continues to support MS-CHAPv2 for authentication.
However, it's important to note that Windows Defender Credential Guard, enabled by default in Windows Server 2025, can interfere with MS-CHAPv2-based authentication methods, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2.
This interference may lead to authentication failures in scenarios like Active Directory (AD) authentication on your Zyxel firewall and RADIUS server authentication.

If you are looking to integrate your Zyxel Firewall with Windows Server 2025 Active Directory using LDAPS (TCP port 636) on ZLD 5.40 or uOS 1.32, please refer to this dedicated article:
👉 Zyxel Firewall – Windows Server 2025 Active Directory and Zyxel Firewall ZLD 5.40/uOS 1.32

Note: This article focuses on authentication compatibility issues (e.g., MS-CHAPv2, NTLM deprecation) with Windows Server 2025. If you're looking for AD integration steps using LDAPS, please refer to the linked article at the bottom.

Observed Behavior

When attempting to authenticate users via AD or NPS (Network Policy Server) using MSCHAPv2, Zyxel firewalls may not receive a valid response, resulting in failed authentication attempts. This behavior is due to the removal of NTLM support in Windows Server 2025, which is a required component for MSCHAPv2 to function.

Zyxel’s Recommended Solution

To ensure continued and uninterrupted user authentication, Zyxel recommends the following workaround until full compatibility is introduced:

• Create local user accounts on the Zyxel firewall for authentication purposes.
• This bypasses the dependency on NTLM, ensuring a smooth login experience for users while maintaining network security.

Workaround Solution (with caution)

Workaround 1: Enabling SSL (LDAPS) on Zyxel Firewall

The essence of this workaround is to use LDAP over SSL, which aligns with Microsoft's new security policies and replaces the legacy NTLM protocol.

Configuration Steps:

1. Log in to the Zyxel Firewall interface and navigate to:
   Authentication > Server Settings > Advanced Settings
2. Enable the SSL option.

Make sure that:

• The domain controller has a valid SSL certificate.
• This certificate is installed in the Trusted Root Certification Authorities store on the Firewall.

Risks and Limitations:

• Without a properly installed and trusted certificate, the Firewall will not be able to connect to the AD server via LDAPS.
• Manual certificate handling is required: export, import, and trust chain verification.

Workaround 2: Relaxing Security Policy on Windows Server 2025

The second approach is to modify Group Policy on the domain controller to allow insecure behavior by default. This enables the Zyxel Firewall to connect using standard (non-secure) LDAP.

Steps:

1. Run gpedit.msc on the Windows Server 2025 domain controller.
2. Navigate to:
   Local Group Policy Editor → Computer Configuration → Windows Settings →
   Security Settings → Local Policies → Security Options →
   Domain controller: LDAP server signing requirements
3. Change the "Enforcement" setting to "Disabled".

What this does:

• Allows the domain controller to respond to plain (non-encrypted) LDAP requests from clients such as Zyxel Firewall.
• Bypasses the requirement to use LDAPS.

Risks:

• Passwords and other sensitive data are transmitted unencrypted, which is especially dangerous in unsecured or public networks.
• Opens potential vulnerability to man-in-the-middle attacks.
• Violates Microsoft’s recommended security policies and may trigger alerts in monitoring systems.

Conclusion:

This is a quick workaround, but it significantly reduces security. Use it only in restricted, isolated environments, and revert it as soon as an official solution is available.

Looking Ahead

At Zyxel, we actively work to ensure our solutions evolve alongside industry changes. Our teams are closely monitoring Microsoft's developments with Windows Server 2025, and we are already exploring integration options to support the enhanced security protocols it introduces.

While current firmware versions do not yet support the updated authentication methods, rest assured that this is a high priority on our development roadmap. Our engineers are committed to delivering a seamless experience for our customers, and support for Windows Server 2025 authentication is under active review.

Thank you for your continued trust in Zyxel. Together, we’re building a more secure and resilient future.

We appreciate your understanding and recommend staying connected with our Zyxel Community and Support Portal for the latest news and guidance.