Zyxel GS1920-24HP unsuccessful Mac-Authantication to radius !
Hi ,
I have Zyxel 1920-24hp switches and want to configure to MAC authanticate with radius. To do this I fallowed this post post https://community.zyxel.com/en/discussion/1565/is-there-a-way-to-configure-802-1x-mac-based-on-a-gs1920
Tekradius send success response but switch doesnt't allow client
This is Tekradius Log details
I have Zyxel 1920-24hp switches and want to configure to MAC authanticate with radius. To do this I fallowed this post post https://community.zyxel.com/en/discussion/1565/is-there-a-way-to-configure-802-1x-mac-based-on-a-gs1920
Tekradius send success response but switch doesnt't allow client
This is Tekradius Log details
Size : 79 / 79
Identifier : 42
Attributes :
NAS-IP-Address = 192.168.1.51
NAS-Identifier = GS1920
User-Name = form-ec-c8-9c-78-97-b8
20.12.2021 14:08:48.200 - Authentication query for user 'form-ec-c8-9c-78-97-b8'; SELECT Attribute, Val from Users where UserName = 'form-ec-c8-9c-78-97-b8' and AttrType = 0
20.12.2021 14:08:48.200 - No group check attribute is configured for user 'form-ec-c8-9c-78-97-b8' - (Group: Default).
20.12.2021 14:08:48.200 - PAP Authentication commencing for user 'form-ec-c8-9c-78-97-b8'
20.12.2021 14:08:48.200 - Check items control for user 'form-ec-c8-9c-78-97-b8' - Start (PAP) [Group: 'Default'].
20.12.2021 14:08:48.201 - Check items control for user 'form-ec-c8-9c-78-97-b8' - Stop [Group: 'Default'].
20.12.2021 14:08:48.201 - Authentication successful for user 'form-ec-c8-9c-78-97-b8'
20.12.2021 14:08:48.201 - Fetching Success-Reply items for user 'form-ec-c8-9c-78-97-b8' - Start.
20.12.2021 14:08:48.201 - Authorization query for user 'form-ec-c8-9c-78-97-b8'; SELECT Attribute, Val from Users where UserName = 'form-ec-c8-9c-78-97-b8' and Attribute <> 'ietf|2' and Attribute <> 'ietf|3' and AttrType = 1
20.12.2021 14:08:48.201 - Fetching Success-Reply items for user 'form-ec-c8-9c-78-97-b8' - Stop.
20.12.2021 14:08:48.201 - Generating Reply Packet for user 'form-ec-c8-9c-78-97-b8' - Start.
20.12.2021 14:08:48.203 - Generating Reply Packet for user 'form-ec-c8-9c-78-97-b8' - Stop.
20.12.2021 14:08:48.205 - RadAuth reply to : 192.168.1.51:1045 (Success)
Size : 32
Identifier : 42
Attributes :
Acct-Interim-Interval = 30
Service-Type = 6
What is wrong in my switch configuration ?
Thanks
What is wrong in my switch configuration ?
Thanks
0
Best Answers
-
Hi @Abasko,
Thanks for providing log and configuration.
After I import your switch configuration to my LAB switch and test with TekRADIUS, it's working on my site.
As I check your TekRADIUS (V5.60 LT) log, not sure if your client pass the authentication or not.
If a client passes auth, you should see the a authentication successful log.24.12.2021 14:15:16.003 - RadAuth req. from : 192.168.60.51:1045 [UDP]
Size : 79 / 79
Identifier : 3
Attributes :
NAS-IP-Address = 192.168.60.51
NAS-Identifier = GS1920
User-Name = serefli-98-e7-f4-5c-13-fb
24.12.2021 14:15:16.050 - Authentication successful for user 'serefli-98-e7-f4-5c-13-fb'
May you check if there is any discrepancy between your config and mine.
Here is the settings in my LAB environment:
For GS1920-24HP switch (I use my own password instead)
For TekRADIUS
Open Wireshark to check if TekRADIUS receives client's radius request from switch and RADIUS forwards Access-Accespt to switch.
Hope it helps,Adam0 -
Hi @Abasko,
As discuss in PM, seems that you've set a wrong VLAN as Guest VLAN.
It leads to even a client pass MAC authentication, the client cannot receive a correct IP address to reach your data LAN because the client is allocated to Guest VLAN.
Once you remove the Guest VLAN setting and it works as expected.
Please feel free to let us know if questions.Adam0
All Replies
-
Abasko,
Could you please provide your switch log here , and PM us your switch config so that we can check if there is any misconfiguration?Adam0 -
Hi Adam,
Thanks for your answer.
There are no event logs about that failed authantication client MAC in switches log page.
There is only this text- Info -
But I installed syslog server to collect system log files. Output is ;12-23-2021 12:06:02 Local0.Debug 192.168.60.51 2020-01-01T18:26:14Z GS1920 interface: Port 1 link up 100M/F12-23-2021 12:05:53 Local0.Debug 192.168.60.51 2020-01-01T18:26:05Z GS1920 interface: Port 1 link down12-23-2021 12:03:27 Local0.Info 192.168.60.51 2020-01-01T18:23:39Z GS1920 system: Save system configuration 1 successfully12-23-2021 12:03:21 Local0.Info 192.168.60.51 2020-01-01T18:23:33Z GS1920 system: Save system configuration12-23-2021 12:00:01 Local0.Debug 192.168.60.51 2020-01-01T18:20:13Z GS1920 interface: Port 1 link up 100M/F12-23-2021 11:59:59 Local0.Debug 192.168.60.51 2020-01-01T18:20:11Z GS1920 interface: Port 1 link down12-23-2021 11:59:48 Local0.Debug 192.168.60.51 2020-01-01T18:20:00Z GS1920 interface: Port 1 link up 100M/F12-23-2021 11:59:37 Local0.Debug 192.168.60.51 2020-01-01T18:19:49Z GS1920 interface: Port 1 link down12-23-2021 11:58:55 Local0.Info 192.168.60.51 2020-01-01T18:19:07Z GS1920 system: Save system configuration 1 successfully12-23-2021 11:58:49 Local0.Info 192.168.60.51 2020-01-01T18:19:01Z GS1920 system: Save system configuration12-23-2021 11:57:47 Local0.Debug 192.168.60.51 2020-01-01T18:17:59Z GS1920 interface: Port 1 link up 100M/F12-23-2021 11:57:41 Local0.Debug 192.168.60.51 2020-01-01T18:17:52Z GS1920 interface: Port 1 link down12-23-2021 11:57:07 Local0.Info 192.168.60.51 2020-01-01T18:17:18Z GS1920 system: Save system configuration 1 successfully12-23-2021 11:57:00 Local0.Info 192.168.60.51 2020-01-01T18:17:12Z GS1920 system: Save system configuration
I sended Switch config files, Tekradius Log files, kiwi syslog files
Best Regards0 -
Hi @Abasko,
Thanks for providing log and configuration.
After I import your switch configuration to my LAB switch and test with TekRADIUS, it's working on my site.
As I check your TekRADIUS (V5.60 LT) log, not sure if your client pass the authentication or not.
If a client passes auth, you should see the a authentication successful log.24.12.2021 14:15:16.003 - RadAuth req. from : 192.168.60.51:1045 [UDP]
Size : 79 / 79
Identifier : 3
Attributes :
NAS-IP-Address = 192.168.60.51
NAS-Identifier = GS1920
User-Name = serefli-98-e7-f4-5c-13-fb
24.12.2021 14:15:16.050 - Authentication successful for user 'serefli-98-e7-f4-5c-13-fb'
May you check if there is any discrepancy between your config and mine.
Here is the settings in my LAB environment:
For GS1920-24HP switch (I use my own password instead)
For TekRADIUS
Open Wireshark to check if TekRADIUS receives client's radius request from switch and RADIUS forwards Access-Accespt to switch.
Hope it helps,Adam0 -
Hi Adam,
Thanks your reply
I will try and inform you.
0 -
Hi @Abasko,
As discuss in PM, seems that you've set a wrong VLAN as Guest VLAN.
It leads to even a client pass MAC authentication, the client cannot receive a correct IP address to reach your data LAN because the client is allocated to Guest VLAN.
Once you remove the Guest VLAN setting and it works as expected.
Please feel free to let us know if questions.Adam0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight