USG FLEX H Series: RADIUS Attribute Refinement
Zyxel Employee
In the latest firmware enhancement, USG FLEX H Series Firewalls now offer refined RADIUS attribute support, improving compatibility and flexibility for authentication workflows - particularly when using web authentication (captive portal) with RADIUS servers.
This refinement ensures more standardized and vendor - specific attributes are supported for tighter integration and better session control.
What’s the Use Case?
Many customers use RADIUS-based authentication for user access control. USG FLEX H Series Firewalls act as intermediaries between the client and the RADIUS server in this process.
Supported RADIUS Attributes
Standard Attributes
Firewalls currently support the following standard RADIUS attributes:
Upcoming Support: Attributes such as Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID are used for 802.1X Dynamic VLAN and will be implemented in future firmware releases.
Vendor-Specific Attributes
Zyxel-specific attributes provide additional control. You can use them to define:
- Custom session timeouts
- Access policies
- Filter-ID assignments
These Vender Specific Attributes take priority over standard attributes. For example, if both a standard Session-Timeout (e.g., 3000 seconds) and a Zyxel-specific Idle-Timeout (e.g., 1440 seconds) are set, the vendor-specific value will be enforced.
RADIUS Authentication Workflow
- Client connects to firewall (e.g., via captive portal)
- Firewall sends Access-Request to RADIUS server, including standard and vendor-specific attributes.
- RADIUS server replies with Access-Accept, including session and access control parameters.
- Firewall grants or denies access based on the RADIUS reply.
You can capture this exchange via packet capture tools. The request will include identifiers like:
- User-Name
- User-Password
- NAS-IP-Address
- NAS-Port
- Service-Type
- Called-Station-ID
- Calling-Station-ID
And the reply may include:
- Filter-ID
- Session-Timeout
- Zyxel-Lease-Time
- Zyxel-Reauth-Time
How to Add Vendor Attributes (Example: TekRADIUS)
If you're using a third-party RADIUS server like TekRADIUS:
- Open the RADIUS dictionary file
- Add Zyxel's Vendor ID and attribute definitions:
- VENDOR Zyxel 890
- ATTRIBUTE Zyxel-Session-Timeout 1 string Zyxel
- Save and reload the RADIUS service
This allows your RADIUS server to send Zyxel-specific directives during authentication.
Categories
- All Categories
- 439 Beta Program
- 2.8K Nebula
- 202 Nebula Ideas
- 126 Nebula Status and Incidents
- 6.3K Security
- 513 USG FLEX H Series
- 328 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.3K Wireless
- 49 Wireless Ideas
- 6.8K Consumer Product
- 288 Service & License
- 458 News and Release
- 90 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 85 About Community
- 97 Security Highlight