Network Security - Zyxel Community

How to Separate Traffic through L2 Port Isolation (4.80 or newer)
It’s a common application that we desire to separate or isolate the mutual traffic between various clients/devices on switches in a network environment. The most intuitive implementation is to create different VLANs to logically segment a LAN into different broadcast domains to achieve the goal. However, there are certain…
How is the MAC Authentication of user name attribute format on Zyxel Switch
Answer: To set up MAC Authentication Bypass (MAB) for your VOIP phones on a Zyxel switch, follow these steps: * Ensure the switch port is configured as an Access Type with a RADIUS Auth profile associated with it. * Enable MAB on the switch port. * Verify that the switch forwards the MAC address of the device to the RADIUS…
How to activate 802.1x authenticatoin on switch?
The article guides how to activate 802.1x authentication on standalone switch on firmware v4.80 or above. Refer to the steps: 1. Login to the switch web GUI and select Security 2. Choose 802.1x 3. Toggle the Active button 4. Select which switch ports should activate 802.1x authentication 5. Click Apply Please remember to…
How to set remote access control on GS1900?
Remote access control is a common feature that restricts the end device from accessing a network device. This FAQ will guide you on how to set remote access control on GS1900. If your allowed IP range does not fit the prefix size, you can split the IP range into separate allow rules. The screenshot below is an example.
How to change the default "admin" account on switch?
Starting from firmware version 4.90, switches can modify the default admin account to any username you would like it to be, via System > Logins page. Login with the new username and check the system log.
What is the authentication behavior in switches without compound authentication?
Switches, such as GS1920, do not support compound authentication, meaning MAC authentication and 802.1X authentication are independent. The switch will authenticate using whichever method it receives first. In practice, MAC authentication often precedes 802.1X authentication due to its operational mechanism.
What is authentication priority when both MAC and 802.1X authentication are enabled?
In switches with compound authentication capabilities, such as the GS2220, XGS2210, and XGS2220 models, 802.1X authentication is prioritized over MAC authentication when both methods are enabled in strict mode.
The choice between LoopGuard and Spanning-tree
To prevent loop events, especially in ring topologies, configuring Rapid Spanning Tree Protocol (RSTP) between switches is recommended. RSTP effectively identifies and eliminates network loops by creating a loop-free tree structure of connections. In addition, Loop guard is a feature that provides an additional layer of…
How to allow RADIUS admin to login the switch? (by Windows Server)
In the following example, we will only provide the necessary settings on the NPS of Windows Server 2019. If you haven't finished the switch settings, please check this article to complete. Topology Configuration of NPS 1. Set RADIUS Clients to 10.214.36.29 with shared secret 12345678. 2. Create your user account in "Active…
Can I add multiple vendor attributes in the same radius account?
Yes, the Zyxel switch accepts the Radius access-accept packets with multiple vendor attributes. You just need to make sure the attributes for the Zyxel switch are correct.
Can I give Radius user an privilege attribute that is not full admin?
Zyxel switch has four privilege levels that the customer can set. Please reference the screenshot below.
The switch shows wrong account or password after I setup AAA.
This problem could be because: Cannot connect to Radius server Wrong shared password Wrong or lack radius attribute Wrong account or password Please check this FAQ on how to set up AAA:
Why cannot I access my switch after setup AAA? How to fix it?
This is because you only set Radius or Tacacs+ as the authentication method and the settings might be wrong. Please factory default your switch to fix this issue.
Can the DHCP snooping learn new entries while the static binding entry reaches the limit?
DHCP snooping and static binding use the same entry table. When one of them reaches the limits, the other one cannot learn/set new entries. This means when static binding entries reach the limit, DHCP snooping cannot learn new entries. For example: If the maximum limit of entries is 512 for the IP Source Guard feature.…
Displaying user accounts and AAA server settings in switch configuration file
For security aspect, the factory default settings of switches exclude configurations for local user accounts, including SNMP and settings for AAA servers, RADIUS and TACACS+. However, to include user information in the configuration file, a specific command needs to be used. Here's how it works: Diaplaying User account in…
How to allow RADIUS admin to login the switch? (by TekRADIUS)
Scenario Some users might prefer to use RADIUS server to manage the access control for the network devices, Zyxel switch provides users to use RADIUS server to authenticate the switch login. This FAQ will use GS2220 and TekRADIUS for example. Topology Configuration V4.70 version firmware: Navigate to Advanced Application >…
How to Use Switch ACL on Nebula
Switch Access Control Lists (ACLs) can be used to filter network traffic based on criteria such as source and destination IP addresses, protocols, and port numbers. Configuring Switch ACLs on a Nebula switch can provide additional security to the network by blocking unauthorized traffic. In this post, we will guide you…
How to configure CNP and claim one-month free license in NCC?
What is Connect & Protect (CNP) service? Connect & Protect service helps to provide a secure and reliable wireless experience to prevent malicious websites access and optimize wireless performance. How to claim CNP 1-month free license? To claim 1-month free license for your Zyxel AP, please go to the device tab in the…
How to implement Compound Authentication with Dynamic VLAN Assignment?
Dynamic VLAN Assignment separates and isolates devices into different network segments based on the device or user authorization and their characteristics. Scenario and Topology Configuration The following steps are applicable for switches supporting compound authentication. MAC authentication + Dynamic VLAN assignment is…
How to configure port security to disable dynamic MAC learning and allow access to particular device
The port security feature allows user to limit the number of connected devices by limiting the number of dynamic MAC address that can be learned on the port. However, there are scenarios that we would like only certain trusted/known devices that can have access, but block any unknown “rogue” devices. Let’s say in a small…

Welcome!

It looks like you're new here. Sign in or register to get started.