APC Enhancements - Proxy by Controller Directly
Zyxel Employee
Proxy by Controller Directly (EAP Proxy)
Zyxel Networks has introduced the Proxy by Controller Directly feature, also known as EAP Proxy or EAP Passthrough. This feature instructs managed APs to encapsulate EAP messages within RADIUS messages. RADIUS requests consist of two layers: an outer layer (such as PEAP or EAP-TLS) and an inner EAP message containing credentials and attributes. This setting is configured under the SSID profile when using WPA Enterprise.
Internal vs. External Authentication
In Internal Authentication, the AP controller acts as a RADIUS relay, meaning the external RADIUS server only needs to allow list the controller's IP address. If EAP Proxy is disabled, the controller terminates the TLS tunnel, and the client sees the firewall's certificate. If EAP Proxy is enabled, the controller passes the full original message, allowing the RADIUS server to terminate the tunnel; consequently, the client sees the RADIUS server's certificate.
EAP Method Support
As of firmware version 1.37, the AP controller only supports PEAP for tunnel termination. For other methods like EAP-TLS, users must enable EAP Proxy to allow the RADIUS server to handle the authentication process directly.
Categories
- All Categories
- 442 Beta Program
- 2.9K Nebula
- 217 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.5K Security
- 578 USG FLEX H Series
- 344 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.4K Wireless
- 52 Wireless Ideas
- 6.9K Consumer Product
- 297 Service & License
- 476 News and Release
- 91 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.8K FAQ
- 34 Documents
- 87 About Community
- 102 Security Highlight