How to allow RADIUS admin to login the switch? (by Windows Server)

Zyxel_Adam
Zyxel_Adam Posts: 430  Zyxel Employee
Zyxel Certified Network Administrator - Nebula 25 Answers First Comment Friend Collector
edited July 2024 in Network Security

In the following example, we will only provide the necessary settings on the NPS of Windows Server 2019. If you haven't finished the switch settings, please check this article to complete.

Topology

image.png

Configuration of NPS

1. Set RADIUS Clients to 10.214.36.29 with shared secret 12345678.

image.png

2. Create your user account in "Active Directory Users and Computers". We will use zyuser as an example.

3. Add a login attribute to the Network policies of NPS.

service-type login.jpg

(Please make sure that the login account (zyuser) is contained in the Windows Groups that you specified in the Conditions tab of NPS policy)

4. Create a new attribute string: “Zyxel-Privilege-AVPair” whose attribute ID is “3”. The vendor ID of Zyxel is “890” on the same Network policy.

2023-10-17_152202.jpg 2023-10-17_152529.jpg image.png

Zyxel-Privilege-AVPair(3)

shell:priv-lvl=14

Verifications:

  • Telnet or SSH from the customer to the switch
image.png
  • Check packet replied from the Windows Server
image.png

What could go wrong

1. If you always fail to authenticate, check the Event Viewer on Windows Server to see what is the reason. For instance:

image.png

2. Unencrypted authentication (PAP, SPAP) must be enabled.

Network Policies_Constriaints.png

Adam