How to allow RADIUS admin to login the switch?

Zyxel_Melen
Zyxel_Melen Posts: 1,271
Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
 Zyxel Employee

Scenario

Some users might prefer to use RADIUS server to manage the access control for the network devices, Zyxel switch provides users to use RADIUS server to authenticate the switch login. This FAQ will use GS2220 and TekRADIUS for example.

Topology

Configuration

V4.70 version firmware:

  1. Navigate to Advanced Application > AAA > RADIUS Server Setup to configure the authentication Server.
  2. Navigate to Advanced Application > AAA > AAA Setup to configure “Authentication” and “Authorization.”
    Authentication > Login should set radius in method 1, and method 2 can be “-” or “local.”
    Authorization > Exec should be active and set method as radius.

V4.80 version firmware:

  1. Navigate to Security > AAA > RADIUS Server Setup to configure the authentication Server.
  2. Navigate to Advanced Application > AAA > AAA Setup to configure “Authentication” and “Authorization.”
    Authentication > Login should set radius in method 1, and method 2 can be “-” or “local.”
    Authorization > Exec should be active and set method as radius. V4.80 firmware supports server key encryption; the shared secret will be stored on the Switch in an encrypted format and displayed as ‘*’ in the SECURITY > AAA > RADIUS Server Setup and SECURITY > AAA > TACACS+ Server Setup screens. Users can consider enabling it to prevent shared secrets from being exposed.

TekRADIUS part:

Setup TekRADIUS:

  1. Set RADIUS client: 192.168.1.1 with shared key 12345678.
  2. Create a new account “zyuser” and its password “1234”.
  3. Add attribute “service-type” with type “Success-Reply“ and value “login” to zyuser.
  4. Create a new attribute string: “Zyxel-Privilege-AVPair”.The vendor ID is “890”, and the attribute ID vendor type is “3”.
  5. Add the attribute string “Zyxel-Privilege-AVPair” with type “Success-Reply” and value “shell:priv-lvl=14” to zyuser.

Verify

  1. Client can access the telnet session on the Switch:
  2. Client accesses the Switch via console.
  3. Capture RADIUS packets on RADIUS Server side.
    • RADIUS request from Client
    • RADIUS accepts from Server

Untitled Image

Click here to start: https://bit.ly/46UJJCE

Zyxel Melen