uOS 1.32: External Group Users for Policy Control and Authentication
Zyxel Employee
Zyxel’s latest firmware update introduces enhanced External Group User support across its uOS-based firewalls. This feature allows organizations to integrate external authentication systems such as Active Directory (AD), LDAP, or RADIUS to manage and apply user-based policies more effectively across multiple security features.
What Are External Group Users?
External Group Users are user identities derived from third-party authentication servers like AD, LDAP, or RADIUS. Once these users are recognized as part of specific groups on those servers, Zyxel firewalls can apply policies to them dynamically- based on group membership rather than managing individual local accounts.
Where Can You Apply External Group Users?
The external group user feature can now be used in four major areas:
- Security Policies – Define access rules by group membership.
- Policy Route –Use policy route to direct specific user traffic through a preferred WAN or VPN tunnel
- Session Control – Enforce session limits and behavior per user group.
- Bandwidth Management (BWM) – Apply bandwidth limitations or priorities to groups.
How to Configure External Group Users
Step 1: Add an External Authentication Server
Before you can create an external user group, add your authentication server:
- Go to User & Authentication > User Authentication > AAA Server.
- Add and configure your AD, LDAP, or RADIUS server.
- Ensure the firewall has network access to the server.
Step 2: Create an External Group User
- Navigate to User & Authentication > User/Group > User.
- Add a new user and select User Type as External Group User.
- Choose the corresponding authentication server.
AD-specific Tip: Group identifiers will auto-populate from your AD server—just search by keyword (e.g., "Sales") and select from the list.
Test User Membership (Optional): You can test if a user belongs to a specific AD group using the Test button. Enter a username, and the system will verify group membership via the authentication server.
RADIUS-specific Tip: You must manually enter the group identifier as defined on the RADIUS server.
Example: Captive Portal with AD Users
Suppose you want users from the “Marketing” AD group to authenticate via Captive Portal:
- Create an external group for the “Marketing” group using your AD server.
- Enable Captive Portal and authentication server is AD server.
- Users from the group can now log in using their domain credentials, and the system logs will reflect their group membership.
Applying to Security Policies
After defining an external group:
- Go to Security Policy > Policy Control.
- When adding or editing a rule, click the User field and select the external group.
- The policy will now apply to all users authenticated through that group.
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 164 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 362 USG FLEX H Series
- 292 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 263 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 84 Security Highlight