Is there a way to configure 802.1x mac based on a GS1920?

Micky

Hello everybody!

I need to enable port authentication on our GS1920 switch, we're needing to use mac based authentication on a radius server like  what is explained on this KB aricle for GS1910: https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=002789&lang=EN is there a way to do it on GS1920? Can someone explain me how to do?

TIA, Micky

Zyxel小編 Lucious

Hi @Micky

Welcome to Zyxel Community!

It is surely feasible to implement MAC-Authentication on GS1920 as well.
Here are the steps for a configuration sample (we use TekRADIUS software for RADIUS Server),

1.
Go to Advance Application > AAA > RADIUS Server Setup.
Type in the IP address of your RADIUS server and your Shared Secret.


2.
Go to Advance Application > Port Authentication > MAC Authentication.
Activate MAC Authentication and the port you would like to use, and type in the name prefix and password you want.
Switch will use the password and 「Name Prefix + user’s MAC address」as the username, together to submit authentication to the RADIUS Server.


3.
On RADIUS Server, set the RADIUS Client profile for the Switch.


Set the user profile for MAC-Authentication.

Shared Secret, username, and password are all case-sensitive. Make sure you input the correct lower-case or upper-case characters for them, and remember to use upper-case for the MAC-Address characters.

4.
For verification, connect host to port 1 of the Switch.
Check the MAC table on the Switch, host's MAC address should be learned by the Switch on port 1 with MAC-Authentication verified and host can access the Switch accordingly.


Hope it helps.

Micky

Hi Zyxel_Lucious, 
thanks for the answer.

Sorry, i forgot to say that i tryid as explained by you, but i also need to assigned a vlan from radius, not only authorized a mac.

On https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=002789&lang=EN in a figure a see "RADIUS-Assigned VLAN enabel", so i think it's possible flagging this to push to the switch a VLAN id from a radius server, but i'm not able to do this on GS1920

I hope you'll be so kind to help me again.

Thanks, Micky

Zyxel小編 Lucious

Hi @Micky

Welcome to Zyxel Community!

It is surely feasible to implement MAC-Authentication on GS1920 as well.
Here are the steps for a configuration sample (we use TekRADIUS software for RADIUS Server),

1.
Go to Advance Application > AAA > RADIUS Server Setup.
Type in the IP address of your RADIUS server and your Shared Secret.


2.
Go to Advance Application > Port Authentication > MAC Authentication.
Activate MAC Authentication and the port you would like to use, and type in the name prefix and password you want.
Switch will use the password and 「Name Prefix + user’s MAC address」as the username, together to submit authentication to the RADIUS Server.


3.
On RADIUS Server, set the RADIUS Client profile for the Switch.


Set the user profile for MAC-Authentication.

Shared Secret, username, and password are all case-sensitive. Make sure you input the correct lower-case or upper-case characters for them, and remember to use upper-case for the MAC-Address characters.

4.
For verification, connect host to port 1 of the Switch.
Check the MAC table on the Switch, host's MAC address should be learned by the Switch on port 1 with MAC-Authentication verified and host can access the Switch accordingly.


Hope it helps.

Micky

Hi Zyxel_Lucious, 
thanks for the answer.

Sorry, i forgot to say that i tryid as explained by you, but i also need to assigned a vlan from radius, not only authorized a mac.

On https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=002789&lang=EN in a figure a see "RADIUS-Assigned VLAN enabel", so i think it's possible flagging this to push to the switch a VLAN id from a radius server, but i'm not able to do this on GS1920

I hope you'll be so kind to help me again.

Thanks, Micky

Zyxel小編 Lucious

Hi @Micky

Thank you for your reply.

You can even implement MAC Authentication + 802.1x Port Authentication with Dynamic VLAN Assignment (also with Guest VLAN) together on the same switch.

The Behavior will be like this, when a host connects to a port with MAC Authentication and 802.1x together, MAC Authentication will come first and then 802.1x.
1.
If MAC Authentication failed, there will be no 802.1x then. The host's MAC will not be learned on the switch. End up with no access to the switch.
2.
If MAC Authentication passed, after that comes 802.1x. Input correct user credential and then successfully access to the switch, otherwise it will be isolated to Guest VLAN.



After you finishing configuration for MAC Authentication as aforementioned section (see my first reply of this discussion), you can go on for below section for 802.1x Port Authentication with Dynamic VLAN Assignment.

Zyxel switch models support 802.1x Port Authentication that forces hosts to submit valid user credentials to be authenticated by an authentication server (In this case would be RADIUS Server) before their traffic can be forwarded across the switch.

Dynamic VLAN Assignment, a variation of Port Authentication, allows host traffic to be processed in specific VLAN based on the submitted user credentials regardless of the PVID. This can be done by adding certain attributes in the user profile

Below example will instruct the administrator on how to configure the Switch and RADIUS Server to allow host traffic to be processed in a specific VLAN based on the submitted user credentials.

The USG provides dynamic IP address configurations for Hosts in VLAN 10, 20, and 99:

• If Host enters the “VLAN10” user credentials, Host is going to receive a dynamic IP address for network 192.168.10.0.
• If Host enters the “VLAN20” user credentials, Host is going to receive a dynamic IP address for network 192.168.20.0.
• If Host enters an invalid credential, Host will be isolated to Guest VLAN (VLAN 99) and receive a dynamic IP address for network 192.168.99.0.

In the example, Host A and B will get different network IP via Dynamic VLAN Assignment based on the submitted user credentials. Flexible network segmentation and management can be implemented accordingly.

Configuration Steps

1. On the Switch:

• Go to Advanced Application > VLAN > VLAN Configuration > Static VLAN Setup.
  Create VLAN 10, 20 for Hosts, VLAN 99 for Guest VLAN, and VLAN 100 for RADIUS server.
• Go to Advance Application > VLAN > VLAN Configuration > VLAN Port Setup.
  Configure PVID 100 for the port connected to RADIUS server.
• Go to Basic Setting > IP Setup.
  Configure the IPs for VLAN 10, 20, 99, and 100.
• Go to Advance Application > AAA > RADIUS Server Setup.
  Type in the IP address of your RADIUS server and your Shared Secret.
• Go to Advance Application > AAA > AAA Setup.
  Check Dot1x under the Authorization section.
• Go to Advance Application > Port Authentication > 802.1x.
  Activate 802.1x Authentication and the ports you would like to use.
• Go to Advanced Application > Port Authentication > 802.1x > Guest VLAN.
  Activate the ports you would like to use and assign the Guest VLAN ID in order to isolate the unauthorized users.

2. On the RADIUS Server:

• Set the RADIUS Client profile for the Switch.
• Edit the User profile for Host credentials and attributes (VLAN ID).

3. On Host PC:

• For Windows OS, click the Start button and type "services.msc" into the search box.
  In the "Services" window, locate the service named "Wired AutoConfig". Make sure the service status is “Started”.
• Right-click on your network adapter and select Properties.
  Click on the Authentication tab and check “Enable IEEE 802.1X authentication”.
  Make sure that the network authentication method is Microsoft: Protected EAP (PEAP).
• Click on Additional Settings, select "Specify authentication mode" and specify User authentication.
  

4. Verification:

• Connect Host PC to port 1 (or 2) of the Switch, it should show “Additional information is needed to connect to this network” on Host PC.
• Enter the username (vlan10) and password (vlan10user) which must be consistent with the RADIUS server’s user profile settings.
• Access the Switch and go to Maintenance > MAC Table. Check the MAC table on the switch, Host's MAC should be learned and assigned with VLAN ID 10.
• Host gets the dynamic IP 192.168.10.X in VLAN 10 from DHCP Server on USG.
• The shared secret, usernames, and passwords are all case-sensitive. Make sure that users input the correct lower-case or upper-case for each character. Invalid credentials will be isolated to Guest VLAN with limited network resources.

5. Note:

• Make sure you create the specific VLAN on the Switch in advance regarding the VLAN ID you want to dynamically assign by 802.1x Port Authentication.

• The priority of Dynamic VLAN Assignment is higher than the PVID on the Switch. This means if your goal is to use the PVID on certain port, you should submit with user credentials including no VLAN ID attribute assignments.

Micky

Thanks again Zyxel_Lucious!

So I understand that it's not possible to do something like that https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=002768&lang=EN on a GS1920, is it?

Thanks Micky

Micky

To explain: i need to do something like what's describe here https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=002768&lang=EN on a GS1920 via mac authentication on a radius server.

Zyxel小編 Lucious

Hi @Micky,

As per our discussion in PM.
We've figured out your request as MAC-Authentication with Dynamic VLAN assignment.
That is, when host connects a certain port, switch will use host's MAC address as user credential to submit to RADIUS Server and get the VLAN ID attribute belongs specific user.

Unfortunately our switch does not support such feature for now.
We will surely add it to the roadmap and have an implementation plan on our GS2210 (and above) series switch.
In the meantime, we will put this feature to "Idea" discussion.

Kindly let us know if you have any suggestion, your participation will surely make our forum and product better and better.

Sincerely,
Zyxel_Lucious

Username_is_reserved

How about now?

I want buy some GS2210 Series for Home.

Zyxel_Derrick

Hi @Username_is_reserved

Welcome to Zyxel community

About this feature, we have planned to enhance on the newer model which will replace GS2210 series in the near future

Thanks

Best regards,

Zyxel_Derrick

Username_is_reserved

When does the new Switch come?

Will the Support Stacking and a "local" (non Cloud) centralized Management?

So its better to wait.

Zyxel_Derrick

Hi @Username_is_reserved

Based on your description, you need stacking and dynamic VLAN assignment

May I know the "stacking" you have mentioned refers to iStacking or physical stacking?

If you refer to physical stacking, we think XGS2210 series may meet your requirement

This model can supports both iStacking and physical stacking

However, XGS2210 series so far doesn't support dynamic VLAN assignment

We have already put this feature in our feature queue

Since it is a long term enhancement, we will enhance this feature model by model

Thanks

Best regards,

Zyxel_Derrick