Using a ZyXEL USG as a RADIUS server to authenticate users on a GS-Series Switch with 802.1X

Dudley_Winchester · August 2019

Hi all,

There is a FAQ entry on using an external Radius server to allow users to be authenticated on a ZyXEL GS Series switch where 802.1X authentication has been enabled:

However, what if I were to want to use a ZyXEL USG to be the server for this purpose? 802.1X for wireless devices works just fine, but when I put the IP address of the USG into the Switch for RADIUS authentication, is doesn't work!

Can this be done? and if so, maybe there are some additional steps needed in the USG to authenticate the switch?

Sakura_T · August 2019

So do you want to use USG as RADIUS server to authenticate hosts on the switch via 802.1x (port-auth) but it didn't work?

Have you checked the associated service setting (such as windows service "WiredAutoConfig") on your host? I mean the one that FAQ article has mentioned.

Dudley_Winchester · August 2019

Hi Sakura_T

Thanks for the reply.

You are right; the client PC (Windows 10) has the 802.1X (Wired) authentication enabled and I get the popup on my laptop screen.

The USG has users populated and the Wireless authentication works as expected. When I check the USG logs I don't see any entries regarding authentication failures.

I have put into the switch that all ports need to use 802.1X (apart from the port to the USG and a test port so I can get in!) and the key is set up to authenticate between the two.

So... the Switch and the laptop know to use 802.1X, the USG has the users, the issue seems to be that the switch and USG are not presenting user credentials / authentication.

Is there something in the USG settings that needs to say that the switch itself is authorised to make such requests? I ask because I assume the USG needs to be satisfied that the switch is a trusted device, otherwise a hacker could just fire usernames and passwords at ports 1812 and 1813 until they get lucky.