Where is NAS-ID hiding?

sknott
sknott Posts: 7
First Comment
edited November 2023 in Nebula

Trying to configure the NAS-ID value for use with our RADIUS server - have nebula and Pro Pack licence and even activated a trial of MSP - can't find it anywhere despite the nebula Pro licensing table (RADIUS NAS ID customizable)

Anyone know where this feature is hiding please??

https://www.zyxel.com/library/assets/products/nebula_control_center/ProPlus_Features_Full_List.pdf

All Replies

  • sknott
    sknott Posts: 7
    First Comment

    Ok so I've found something - if I turn off authenticating using WPA Enterprise with WPA2 and My Radius server and instead choose as open with a Sign-in method and use My RADIUS server I can then specifiy a NAS identifier.

    I can't believe we can't specify the NAS Identifier for use on 802.1X authenticated networks.

    Basically I need a way of authenticating users and authorizing them to certain SSIDs using our NPS Radius server.

    HP Aruba lets us do this, as does Ruckus. Ruckus also allows us to return a vendor code from NPS that is a role name that can then be used to determine which SSIDs the user is allowed on.

    Any ideas anyone if Nebula can do the same??

  • Zyxel_Judy
    Zyxel_Judy Posts: 877  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @sknott ,

    You can specify the NAS Identifier for use on 802.1X authenticated networks as screen below.

    It is assumed that initially, you were unable to see the RADIUS NAS ID option due to enabling WPA Enterprise with My RADIUS server and Sign-in method as Sign-on with My RADIUS server simultaneously, that is incompatible.

    Judy

  • sknott
    sknott Posts: 7
    First Comment

    I've been able to work around this issue by using the Called-Station-ID value that Zyxel does supply to NPS. The value Zyxel supplies is the MAC Address with the SSID - in NPS RADIUS I can set a condition to look at the Called-Station-ID and using a regexp match the string based on the SSID.

    For instance in NPS I can match the end of the Called-Station-ID with StaffWifi$ - the $ telling NPS that what preceeds should be at the end of the supplied value.

    So RADIUS Authentication and Authorization with Microsoft NPS Server - fixed.

    New Problem is RADIUS Accounting. We need to send RADIUS accounting information through to our Smoothwall Web Filter to associate the RADIUS Authenticated user with the web filter - Ruckus and Aruba do this no problem however Zyxel only seems to send through the authenticated user and not their IP address as well.

    Any ideas on how to solve this?

  • sknott
    sknott Posts: 7
    First Comment

    I'm almost convinced now that the Zyxel APs aren't waiting for the RADIUS Authentication to complete before sending their request for RADIUS accounting.

    Can you confirm if this is the case?

  • sknott
    sknott Posts: 7
    First Comment

    so to further define the situation and problem.

    We are authenticating users via 802.1X Enterprise with the user supplying their username and password to join the network. We also want to use Radius Accounting so that their accounting information is passed to our web filter (smoothwall).

    In our web filter we can see that the username is logged however the IP address of the user is simply 0.0.0.0

    We use HP Aruba and Ruckus WiFi systems in this way and have no difficulties.

    Any ideas why Zyxel is struggling?

  • sknott
    sknott Posts: 7
    First Comment

    I'm speculating that the Framed-IP-Address is missing from the request to the accounting server (Smoothwall).
    https://help.smoothwall.net/FilterFirewall/Content/4Services/1Authentication/8BYOD/BYOD.htm


    can anyone confirm if this is the case?

  • Zyxel_Judy
    Zyxel_Judy Posts: 877  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    HI @sknott ,

    There is the Framed-IP-Address field from the request to the accounting server, however, the Framed-IP-Address (Client IP) in accounting start packet is 0.0.0.0 due to the working flow that after the 802.1x authentication, the next step will be accounting start and DHCP discover. When progress accounting start, the client has not gotten the IP address yet, so 0.0.0.0 as client AP is the normal result. At the present, we've not supported record the real client's IP address in Framed-IP-Address field in accounting start packets.

    However, we supported record the real client IP address (Framed-IP-Address field) in accounting stop packet already.

    Related to the requirement as supporting record the real client's IP address in Framed-IP-Address field in accounting start packets, we’ll evaluate carefully and update to you.

    Judy

  • Zyxel_Judy
    Zyxel_Judy Posts: 877  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    HI @sknott ,

    The requirement for the client IP of Framed-IP-Address in the accounting start packet has been raised. Please stay informed about any new features and enhancements by following our official website.

    Judy

Nebula Tips & Tricks