How to allow RADIUS admin to login the switch?

Zyxel_Melen
Posts: 1,271
Zyxel Employee





Scenario
Some users might prefer to use RADIUS server to manage the access control for the network devices, Zyxel switch provides users to use RADIUS server to authenticate the switch login. This FAQ will use GS2220 and TekRADIUS for example.
Topology
Configuration
V4.70 version firmware:
- Navigate to Advanced Application > AAA > RADIUS Server Setup to configure the authentication Server.
- Navigate to Advanced Application > AAA > AAA Setup to configure “Authentication” and “Authorization.”
Authentication > Login should set radius in method 1, and method 2 can be “-” or “local.”
Authorization > Exec should be active and set method as radius.
V4.80 version firmware:
- Navigate to Security > AAA > RADIUS Server Setup to configure the authentication Server.
- Navigate to Advanced Application > AAA > AAA Setup to configure “Authentication” and “Authorization.”
Authentication > Login should set radius in method 1, and method 2 can be “-” or “local.”
Authorization > Exec should be active and set method as radius. V4.80 firmware supports server key encryption; the shared secret will be stored on the Switch in an encrypted format and displayed as ‘*’ in the SECURITY > AAA > RADIUS Server Setup and SECURITY > AAA > TACACS+ Server Setup screens. Users can consider enabling it to prevent shared secrets from being exposed.
TekRADIUS part:
Setup TekRADIUS:
- Set RADIUS client: 192.168.1.1 with shared key 12345678.
- Create a new account “zyuser” and its password “1234”.
- Add attribute “service-type” with type “Success-Reply“ and value “login” to zyuser.
- Create a new attribute string: “Zyxel-Privilege-AVPair”.The vendor ID is “890”, and the attribute ID vendor type is “3”.
- Add the attribute string “Zyxel-Privilege-AVPair” with type “Success-Reply” and value “shell:priv-lvl=14” to zyuser.
Verify
- Client can access the telnet session on the Switch:
- Client accesses the Switch via console.
- Capture RADIUS packets on RADIUS Server side.
- RADIUS request from Client
- RADIUS accepts from Server
- RADIUS request from Client
Click here to start: https://bit.ly/46UJJCE
0
Categories
- All Categories
- 300 Beta Program
- 1.9K Nebula
- 102 Nebula Ideas
- 72 Nebula Status and Incidents
- 4.8K Security
- 3 USG FLEX H Series
- 242 Security Ideas
- 1.1K Switch
- 54 Switch Ideas
- 807 WirelessLAN
- 29 WLAN Ideas
- 5.5K Consumer Product
- 178 Service & License
- 309 News and Release
- 69 Security Advisories
- 19 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.3K FAQ
- 554 Nebula FAQ
- 343 Security FAQ
- 118 Switch FAQ
- 146 WirelessLAN FAQ
- 31 Consumer Product FAQ
- 110 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 70 About Community
- 56 Security Highlight