uOS 1.32: External Group Users for Policy Control and Authentication

Zyxel_Claudia
Zyxel_Claudia Posts: 164  Zyxel Employee
Network Detective-New Adventure Badge Network Detective Badge First Comment Friend Collector

Zyxel’s latest firmware update introduces enhanced External Group User support across its uOS-based firewalls. This feature allows organizations to integrate external authentication systems such as Active Directory (AD), LDAP, or RADIUS to manage and apply user-based policies more effectively across multiple security features.

What Are External Group Users?

External Group Users are user identities derived from third-party authentication servers like AD, LDAP, or RADIUS. Once these users are recognized as part of specific groups on those servers, Zyxel firewalls can apply policies to them dynamically- based on group membership rather than managing individual local accounts.

Where Can You Apply External Group Users?

The external group user feature can now be used in four major areas:

  1. Security Policies – Define access rules by group membership.
  2. Policy Route –Use policy route to direct specific user traffic through a preferred WAN or VPN tunnel
  3. Session Control – Enforce session limits and behavior per user group.
  4. Bandwidth Management (BWM) – Apply bandwidth limitations or priorities to groups.

How to Configure External Group Users

Step 1: Add an External Authentication Server

Before you can create an external user group, add your authentication server:

  • Go to User & Authentication > User Authentication > AAA Server.
  • Add and configure your AD, LDAP, or RADIUS server.
  • Ensure the firewall has network access to the server.

Step 2: Create an External Group User

  • Navigate to User & Authentication > User/Group > User.
  • Add a new user and select User Type as External Group User.
  • Choose the corresponding authentication server.

AD-specific Tip: Group identifiers will auto-populate from your AD server—just search by keyword (e.g., "Sales") and select from the list.

Test User Membership (Optional): You can test if a user belongs to a specific AD group using the Test button. Enter a username, and the system will verify group membership via the authentication server.

RADIUS-specific Tip: You must manually enter the group identifier as defined on the RADIUS server.

Example: Captive Portal with AD Users

Suppose you want users from the “Marketing” AD group to authenticate via Captive Portal:

  1. Create an external group for the “Marketing” group using your AD server.
  2. Enable Captive Portal and authentication server is AD server.
  3. Users from the group can now log in using their domain credentials, and the system logs will reflect their group membership.

Applying to Security Policies

After defining an external group:

  • Go to Security Policy > Policy Control.
  • When adding or editing a rule, click the User field and select the external group.
  • The policy will now apply to all users authenticated through that group.