Using a ZyXEL USG as a RADIUS server to authenticate users on a GS-Series Switch with 802.1X

Dudley_Winchester Posts: 22
First Comment Fifth Anniversary
 Freshman Member
edited August 2022 in Switch

Hi all,

There is a FAQ entry on using an external Radius server to allow users to be authenticated on a ZyXEL GS Series switch where 802.1X authentication has been enabled:

However, what if I were to want to use a ZyXEL USG to be the server for this purpose? 802.1X for wireless devices works just fine, but when I put the IP address of the USG into the Switch for RADIUS authentication, is doesn't work!

Can this be done? and if so, maybe there are some additional steps needed in the USG to authenticate the switch?

All Replies

  • Sakura_T
    Sakura_T Posts: 101
    5 Answers First Comment Friend Collector Second Anniversary
     Ally Member

    So do you want to use USG as RADIUS server to authenticate hosts on the switch via 802.1x (port-auth) but it didn't work?

    Have you checked the associated service setting (such as windows service "WiredAutoConfig") on your host? I mean the one that FAQ article has mentioned.

  • Dudley_Winchester
    Dudley_Winchester Posts: 22
    First Comment Fifth Anniversary
     Freshman Member

    Hi Sakura_T

    Thanks for the reply.

    You are right; the client PC (Windows 10) has the 802.1X (Wired) authentication enabled and I get the popup on my laptop screen.

    The USG has users populated and the Wireless authentication works as expected. When I check the USG logs I don't see any entries regarding authentication failures.

    I have put into the switch that all ports need to use 802.1X (apart from the port to the USG and a test port so I can get in!) and the key is set up to authenticate between the two.

    So... the Switch and the laptop know to use 802.1X, the USG has the users, the issue seems to be that the switch and USG are not presenting user credentials / authentication.

    Is there something in the USG settings that needs to say that the switch itself is authorised to make such requests? I ask because I assume the USG needs to be satisfied that the switch is a trusted device, otherwise a hacker could just fire usernames and passwords at ports 1812 and 1813 until they get lucky.

  • Zyxel小編 Lucious
    Zyxel小編 Lucious Posts: 279
    25 Answers First Comment Friend Collector Third Anniversary
     Zyxel Employee

    Hi @Dudley_Winchester

    For RADIUS server configuration on USG, Configuration > System > Auth.Server, and add profile (including IP, shared secret) of the switch.

    And create user-profile in Configuration > Object > User/Group.

    On Zyxel switch, Advanced Application > Port Authentication > 802.1x, activate and check the desired ports.

    AAA > RADIUS Server Setup, set RADIUS server's IP and shared secret.

    AAA > AAA Setup > Authorization, activate Dot1x.

    On Windows 10, the detail settings in Ethernet Properties > Authentication should also be taken into account.