Switch Authentication with both External Radius and Nebula Cloud?

SkyGoat

On the Site-wide > Configure > Switches > Authentication page, it is only possible to select "Nebula cloud authentication" or "External radius server".

I would like to use the External radius server to authenticate domain connected computers and then use the Nebula cloud authentication to add MAC addresses for any other devices like printers and CCTV.

I know if I select External radius server I can then create multiple authentication policies, but adding MAC addresses via Nebula Cloud Authentication is a lot easier and faster.

Is there any way to enable both External radius server and Nebula cloud authentication at the same time?

Zyxel_Melen

Hi @SkyGoat,

MAC-Authentication with Dynamic VLAN assignment feature needs the switch that supports the Compound Authentication feature. And since Nebula does not support the Compound Authentication feature currently. Therefore, no Zyxel Nebula switch can configure MAC-Authentication with Dynamic VLAN assignment feature on Nebula currently.

In addition, GS1920 does not support Compound Authentication, so you cannot configure MAC-Authentication with Dynamic VLAN assignment.

Zyxel_Melen

Hi @SkyGoat,

Could you share the reason you want to use both at the same time? From our experience, we prefer to maintain the authentication database on one platform.

SkyGoat

The Nebula Cloud Authentication works well, but it would be good to be able to use the external radius server / 802.1x to automatically authenticate domain connected computers, as it's more secure and avoids the need to manually add the MAC address of every new computer to the allowed list.

But I still need to use MAC authentication to allow non 802.1x devices to connect e.g. Printers. The Nebula Cloud Authentication makes adding a MAC address very easy. The alternative method, using an external Radius server to maintain an allowed MAC address list, takes more effort and time - I'm using Microsoft NPS, so creating a user in active directory with the MAC address as the username.

I have a 2nd related question. If I'm using the external radius server option, I can define multiple authentication policies. I have two - one for MAC-Base authentication and second for 802.1.x….

…then each switch port I can only choose one of the authentication types.

This means that I need to know what type of device is connected to each switch port and set the correct authentication policy i.e. Set it to 802.1x if I have a domain connected PC connected, or set it to MAC-Base for anything else.

Some other vendors support MAC Authentication Bypass (MAB), where when a device is connected, the switch will attempt to authenticate it with 802.1x first, if that fails it will then try to authenticate it using the MAC, and if that also fails the device is prevented from connecting.

It would be good if Nebula supported this, as it would mean each switch port could just be set to authenticate the connected device and remove the need to manually change the authentication policy on each port.

This would also apply to my original question about using the external radius server for 802.1x along with Nebula Cloud for MAC authentications. The switch would need to authenticate a device via Radius/802.1x first and if that failed, then attempt to authenticate the MAC against Nebula Cloud.

Zyxel_Melen

Hi @SkyGoat,

I have help you create an idea post for the first request.

https://community.zyxel.com/en/discussion/23555/nebula-switch-authentication-allow-to-use-both-external-radius-and-nebula-cloud

For the second request, may I know which switch model you are using?

The second request seems to require the switch to support the Compound Authentication feature, so we would like to clarify the switch model you are using.

SkyGoat

Hi Melen,

I am using the GS1920 switches.

SkyGoat

I found this document which explains the Compound Authentication, feature.

https://us.v-cdn.net/6029482/uploads/editor/lr/zjqhtlmnigbp.pdf

Yes, what I would like is the Compound Authentication in Loose mode (clients need to pass EITHER 802.1x or MAC authentication to access network).

But it seems the GS1920 range doesn't support it?

https://community.zyxel.com/en/discussion/21333/what-is-the-authentication-behavior-in-switches-without-compound-authentication

This pages suggests only the GS2220, XGS2210, and XGS2220 support it in standalone mode.

https://community.zyxel.com/en/discussion/12380/how-to-implement-compound-authentication-with-dynamic-vlan-assignment

Does any switch support Compound Authentication in Nebula mode?

Is the GS1920 range ever likely to support Compound Authentication when running in Nebula mode?

Zyxel_Melen

Hi @SkyGoat,

Thanks for your information.

You are correct. The GS1920 does not support the Compound Authentication feature. In addition, GS1920 won't support the Compound Authentication feature when it is in Nebula mode due to the product positioning.

Currently, because Nebula doesn't provide the Compound Authentication feature, those models that support the Compound Authentication feature cannot apply it on Nebula.

I have helped to create an idea post "Nebula Switch Authentication supports Compound Authentication configuration".

https://community.zyxel.com/en/discussion/24089/nebula-switch-authentication-supports-compound-authentication-configuration

We will monitor the comments and the votes on this idea and evaluate it. If anyone likes this idea, please feel free to leave your comment and give it a vote.

SkyGoat

Although I am disappointed by your confirmation 😪, thank you for the reply Melen.

I have another related question. I suspect I already know the answer to it 😆
Using Microsoft Network Policy Server (NPS) I can configure authenticated devices to be forced onto a specific VLAN.

This works great when the switch port is set to authenticate the device using 802.1x. Domain connected computers can be connected and forced to a specific VLAN no matter which port on a switch they connect to (as long as the switch ports are correctly configured).

For non 802.1x capable devices, I am using NPS to authenticate the device via it's MAC address by creating a user account in active directory, as outlined at this link

https://support.zyxel.eu/hc/en-us/articles/4413557873810-Zyxel-Network-Switch-XGS-GS2xxx-Configure-MAC-Authentification-with-Active-Directory-on-Zyxel-Switches#h_01FQK6B3EHTGE4KT9EJNP0M5W4

This part also works. I am able to authenticate devices by their MAC address.

The problem is the MAC authenticated device ignores the VLAN Radius attributes and always ends up on the VLAN set via the PVID setting on the switch port.

What I am looking for is MAC-Authentication (via either external radius server or Zyxel Cloud Authentication) with Dynamic VLAN assignment. I've found this thread from way back in 2018 were someone has already uncovered the same problem…

https://community.zyxel.com/en/discussion/1565/is-there-a-way-to-configure-802-1x-mac-based-on-a-gs1920

Zyxel小編 Lucious replied in that thread
"We've figured out your request as MAC-Authentication with Dynamic VLAN assignment.
That is, when host connects a certain port, switch will use host's MAC address as user credential to submit to RADIUS Server and get the VLAN ID attribute belongs specific user.

Unfortunately our switch does not support such feature for now.
We will surely add it to the roadmap and have an implementation plan on our GS2210 (and above) series switch."

Question - Is it still the case that MAC-Authentication with Dynamic VLAN assignment doesn't exist on any Zyxel Nebula switch?

Zyxel_Melen

Hi @SkyGoat,

MAC-Authentication with Dynamic VLAN assignment feature needs the switch that supports the Compound Authentication feature. And since Nebula does not support the Compound Authentication feature currently. Therefore, no Zyxel Nebula switch can configure MAC-Authentication with Dynamic VLAN assignment feature on Nebula currently.

In addition, GS1920 does not support Compound Authentication, so you cannot configure MAC-Authentication with Dynamic VLAN assignment.