uOS 1.35 – External Group Users Now Supported in Remote Access VPN

Zyxel_Lynn
Zyxel_Lynn Posts: 71  Zyxel Employee
5 Answers First Comment Friend Collector
edited August 26 in Other Topics

Previously, external group user objects in Zyxel firewalls were limited in scope. They could be referenced in security policies, policy routes, session control, and VMW settings, but not in VPN authentication.

With uOS 1.35, external group users can now also be used in Remote Access VPN profiles. This provides more flexibility for administrators who manage user authentication centrally through AD or RADIUS.

Supported Authentication Servers

  • Active Directory (AD)
  • RADIUS
  • LDAP (only for SSL VPN and IPsec VPN — not available for Remote Access VPN)

Active Directory Example

  1. Create an AD server profile on the firewall (System > User Authentication).
  2. Verify user accounts can be queried from AD.
  3. Place the AD user into an AD group (e.g., GroupX) via Windows Server Active Directory Users and Computers.
  4. CN=GroupX, CN=Users, DC=zyxel, DC=com
  5. Reference this group object in your Remote Access VPN profile.

Result: Only AD users that are members of GroupX will be able to authenticate to the VPN.

RADIUS Example

Since RADIUS does not use group membership in the same way as AD, group association is instead determined through attributes.

  1. In the firewall RADIUS profile, select the attribute used for group membership:
    • Filter-ID
    • Class
    • Vendor-Specific
    • User-Defined
  2. On the RADIUS server, configure the user account to include the matching attribute (e.g., Filter-ID = Group-Thailand).
  3. On the firewall, create an External Group User object with the identifier value (Group-Thailand).
  4. Attach this external group to the Remote Access VPN profile.

Result: Only RADIUS users with the correct attribute value are permitted VPN access.

Benefits

  • Granular VPN access control: Restrict VPN login to specific AD or RADIUS groups.
  • Centralized user management: Simplifies admin work by leveraging existing directory structures.
  • Consistency: Extends external group support beyond policies into VPN authentication.

With uOS 1.35, you can now enforce group-based VPN access using external group objects from Active Directory or RADIUS.