Switch Authentication with both External Radius and Nebula Cloud?

Options
SkyGoat
SkyGoat Posts: 15  Freshman Member
First Anniversary Friend Collector First Comment
edited June 13 in Nebula

On the Site-wide > Configure > Switches > Authentication page, it is only possible to select "Nebula cloud authentication" or "External radius server".

I would like to use the External radius server to authenticate domain connected computers and then use the Nebula cloud authentication to add MAC addresses for any other devices like printers and CCTV.

I know if I select External radius server I can then create multiple authentication policies, but adding MAC addresses via Nebula Cloud Authentication is a lot easier and faster.

Is there any way to enable both External radius server and Nebula cloud authentication at the same time?

Accepted Solution

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,909  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @SkyGoat,

    MAC-Authentication with Dynamic VLAN assignment feature needs the switch that supports the Compound Authentication feature. And since Nebula does not support the Compound Authentication feature currently. Therefore, no Zyxel Nebula switch can configure MAC-Authentication with Dynamic VLAN assignment feature on Nebula currently.

    In addition, GS1920 does not support Compound Authentication, so you cannot configure MAC-Authentication with Dynamic VLAN assignment.

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,909  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @SkyGoat,

    Could you share the reason you want to use both at the same time? From our experience, we prefer to maintain the authentication database on one platform.

  • SkyGoat
    SkyGoat Posts: 15  Freshman Member
    First Anniversary Friend Collector First Comment
    edited June 14
    Options

    The Nebula Cloud Authentication works well, but it would be good to be able to use the external radius server / 802.1x to automatically authenticate domain connected computers, as it's more secure and avoids the need to manually add the MAC address of every new computer to the allowed list.

    But I still need to use MAC authentication to allow non 802.1x devices to connect e.g. Printers. The Nebula Cloud Authentication makes adding a MAC address very easy. The alternative method, using an external Radius server to maintain an allowed MAC address list, takes more effort and time - I'm using Microsoft NPS, so creating a user in active directory with the MAC address as the username.

    I have a 2nd related question. If I'm using the external radius server option, I can define multiple authentication policies. I have two - one for MAC-Base authentication and second for 802.1.x….

    …then each switch port I can only choose one of the authentication types.

    This means that I need to know what type of device is connected to each switch port and set the correct authentication policy i.e. Set it to 802.1x if I have a domain connected PC connected, or set it to MAC-Base for anything else.

    Some other vendors support MAC Authentication Bypass (MAB), where when a device is connected, the switch will attempt to authenticate it with 802.1x first, if that fails it will then try to authenticate it using the MAC, and if that also fails the device is prevented from connecting.

    It would be good if Nebula supported this, as it would mean each switch port could just be set to authenticate the connected device and remove the need to manually change the authentication policy on each port.

    This would also apply to my original question about using the external radius server for 802.1x along with Nebula Cloud for MAC authentications. The switch would need to authenticate a device via Radius/802.1x first and if that failed, then attempt to authenticate the MAC against Nebula Cloud.

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,909  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @SkyGoat,

    I have help you create an idea post for the first request.

    For the second request, may I know which switch model you are using?

    The second request seems to require the switch to support the Compound Authentication feature, so we would like to clarify the switch model you are using.

  • SkyGoat
    SkyGoat Posts: 15  Freshman Member
    First Anniversary Friend Collector First Comment
    Options

    Hi Melen,

    I am using the GS1920 switches.

  • SkyGoat
    SkyGoat Posts: 15  Freshman Member
    First Anniversary Friend Collector First Comment
    edited July 3
    Options

    I found this document which explains the Compound Authentication, feature.

    https://us.v-cdn.net/6029482/uploads/editor/lr/zjqhtlmnigbp.pdf

    Yes, what I would like is the Compound Authentication in Loose mode (clients need to pass EITHER 802.1x or MAC authentication to access network).

    But it seems the GS1920 range doesn't support it?

    This pages suggests only the GS2220, XGS2210, and XGS2220 support it in standalone mode.

    Does any switch support Compound Authentication in Nebula mode?

    Is the GS1920 range ever likely to support Compound Authentication when running in Nebula mode?

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,909  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @SkyGoat,

    Thanks for your information.

    You are correct. The GS1920 does not support the Compound Authentication feature. In addition, GS1920 won't support the Compound Authentication feature when it is in Nebula mode due to the product positioning.

    Currently, because Nebula doesn't provide the Compound Authentication feature, those models that support the Compound Authentication feature cannot apply it on Nebula.

    I have helped to create an idea post "Nebula Switch Authentication supports Compound Authentication configuration".

    We will monitor the comments and the votes on this idea and evaluate it. If anyone likes this idea, please feel free to leave your comment and give it a vote.

  • SkyGoat
    SkyGoat Posts: 15  Freshman Member
    First Anniversary Friend Collector First Comment
    Options

    Although I am disappointed by your confirmation 😪, thank you for the reply Melen.

    I have another related question. I suspect I already know the answer to it 😆
    Using Microsoft Network Policy Server (NPS) I can configure authenticated devices to be forced onto a specific VLAN.

    This works great when the switch port is set to authenticate the device using 802.1x. Domain connected computers can be connected and forced to a specific VLAN no matter which port on a switch they connect to (as long as the switch ports are correctly configured).


    For non 802.1x capable devices, I am using NPS to authenticate the device via it's MAC address by creating a user account in active directory, as outlined at this link

    https://support.zyxel.eu/hc/en-us/articles/4413557873810-Zyxel-Network-Switch-XGS-GS2xxx-Configure-MAC-Authentification-with-Active-Directory-on-Zyxel-Switches#h_01FQK6B3EHTGE4KT9EJNP0M5W4

    This part also works. I am able to authenticate devices by their MAC address.

    The problem is the MAC authenticated device ignores the VLAN Radius attributes and always ends up on the VLAN set via the PVID setting on the switch port.

    What I am looking for is MAC-Authentication (via either external radius server or Zyxel Cloud Authentication) with Dynamic VLAN assignment. I've found this thread from way back in 2018 were someone has already uncovered the same problem…

    Zyxel小編 Lucious replied in that thread
    "We've figured out your request as MAC-Authentication with Dynamic VLAN assignment.
    That is, when host connects a certain port, switch will use host's MAC address as user credential to submit to RADIUS Server and get the VLAN ID attribute belongs specific user.

    Unfortunately our switch does not support such feature for now.
    We will surely add it to the roadmap and have an implementation plan on our GS2210 (and above) series switch."

    Question - Is it still the case that MAC-Authentication with Dynamic VLAN assignment doesn't exist on any Zyxel Nebula switch?

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,909  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @SkyGoat,

    MAC-Authentication with Dynamic VLAN assignment feature needs the switch that supports the Compound Authentication feature. And since Nebula does not support the Compound Authentication feature currently. Therefore, no Zyxel Nebula switch can configure MAC-Authentication with Dynamic VLAN assignment feature on Nebula currently.

    In addition, GS1920 does not support Compound Authentication, so you cannot configure MAC-Authentication with Dynamic VLAN assignment.

Nebula Tips & Tricks