How to allow RADIUS admin to login the switch? (by TekRADIUS)

Zyxel_Melen
Zyxel_Melen Posts: 3,244  Zyxel Employee
Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
edited January 2024 in Network Security

Scenario

Some users might prefer to use RADIUS server to manage the access control for the network devices, Zyxel switch provides users to use RADIUS server to authenticate the switch login. This FAQ will use GS2220 and TekRADIUS for example.

Topology

1.png

Configuration

V4.70 version firmware:

  1. Navigate to Advanced Application > AAA > RADIUS Server Setup to configure the authentication Server.
    2.png
  2. Navigate to Advanced Application > AAA > AAA Setup to configure “Authentication” and “Authorization.”
    Authentication > Login should set radius in method 1, and method 2 can be “-” or “local.”
    Authorization > Exec should be active and set method as radius.
    3.png

V4.80 version firmware:

  1. Navigate to Security > AAA > RADIUS Server Setup to configure the authentication Server.
    4.png
  2. Navigate to Advanced Application > AAA > AAA Setup to configure “Authentication” and “Authorization.”
    Authentication > Login should set radius in method 1, and method 2 can be “-” or “local.”
    Authorization > Exec should be active and set method as radius. V4.80 firmware supports server key encryption; the shared secret will be stored on the Switch in an encrypted format and displayed as ‘*’ in the SECURITY > AAA > RADIUS Server Setup and SECURITY > AAA > TACACS+ Server Setup screens. Users can consider enabling it to prevent shared secrets from being exposed.
    5.png

TekRADIUS part:

Setup TekRADIUS:

  1. Set RADIUS client: 192.168.1.1 with shared key 12345678.
    6.png
  2. Create a new account “zyuser” and its password “1234”.
    7.png
  3. Add attribute “service-type” with type “Success-Reply“ and value “login” to zyuser.
    7.7.png
  4. Create a new attribute string: “Zyxel-Privilege-AVPair” whose attribute ID is “3”. The vendor ID of Zyxel is “890”.
    8.png
  5. Add the attribute string “Zyxel-Privilege-AVPair” with type “Success-Reply” and value “shell:priv-lvl=14” to zyuser.
  6. 9.png

Verify

  1. Client can access the telnet session on the Switch:
    10.png
  2. Client accesses the Switch via console.
    11.png 12.png
  3. Capture RADIUS packets on RADIUS Server side.
    13.png
    • RADIUS request from Client
      14.png
    • RADIUS accepts from Server
      15.png
Zyxel Melen


Categories

Switch FAQ Tag

EnglishTiếng ViệtРусскийไทย中文(台灣)