Maybe Odyssey is using another way to connect on the ZS. EAP-TLS will use both server and clients keys to connect and is password-less if I remember well, so if you disable the certificates for that user he will not be allowed to connect, unless there is a backdoor.