USG authentication against Cisco ISE

MartinSkv

Hi community,

anyone can advice how to setup Radius attribute on Cisco ISE so that when login with my RAdius credentials my privilidge is correctly assigned to user type admin?

i have tried to follow

AD/LDAP/Radius Admin Authentication — Zyxel Community

ATTRIBUTE Zyxel-User-Type 64 string with direction BOTH and i can authenticate but user type remains User.
I have tried to follow also

How to get different privileges by RADIUS authentication — Zyxel Community

and assigned various atributes names with ID 1 for user type but same result.

Zyxel_Tina

Hi @MartinSkv,

To correctly assign admin privileges when logging into the Zyxel firewall using RADIUS authentication via Cisco ISE, please confirm that the following VSA is configured correctly:

• Vendor ID: 890
• Attribute Number (ID): 1
• Attribute Format: String
• Attribute Value: admin

If you’ve already applied the correct settings but the issue still persists, we’d appreciate it if you could help share the following information for further analysis:

• Screenshots of your attribute configuration and the resulting login (as you mentioned “user type remains User”)
• The current configuration file of the Zyxel device
• Capture RADIUS packets so we can verify some information, such as the login status and the returned attributes

Also, please make sure:

• The Authorization Policy in ISE is correctly matching the user/group
• The expected profile containing the VSA is being applied
• The Zyxel device is properly configured to accept RADIUS-based admin logins

These details will help us better understand your current setup and assist you more effectively.

MartinSkv

Hi @Zyxel_Tina

i have already case created for that 519260 so perhaps could you take it over, and we could share that evidence there as I wouldn't like to share it here on public Community.

let me know please.

Otherwise yes ISE is set with RADIUS Vendor Specific dictionary which has parameters as you specified them above. To Capture RADIUS packets will take sometime as it is in remote location and i will need to dispatch someone on site to capture that.

What do you mean by that "Authorization Policy in ISE is correctly matching the user/group" on ISE we have Policy Sets, where we have one for Zyxel devices in which there is Authorization policy with set of conditions in our case AD groups where my username is part of one and if matched then Authorization profile is applied inside which are specified radius attributes values which should be appliend and sent back to Zyxel device… so not sure where should be the correlation between zyxel user/groups and ise authorization policy