Zyxel VMG4005 EAPOL

pengc99

Hi, I have a Zyxel VMG4005 and I was trying to get it to work with my DSL provider. I can get it to train and synchronize with the DSLAM but my DSL provider uses EAPOL for authentication. I can't get the Zyxel VMG4005 to pass EAPOL frames so it can't get online.

Additionally, it looks like I would be able to enable the bridge to pass EAPOL frames, but it requires root access to the shell and passing a parameter:

echo 8 > /sys/class/net/brXXX/bridge/group_fwd_mask

However, the username "admin" only puts me in a ZySH shell and I don't have permissions to do anything in the ZySH shell.

The root password isn't know and it isn't set to the same as the admin password.

Does anyone know how to access the root shell on the modem, or to configure it to pass EAPOL frames?

tonygibbs16

Hello @pengc99

It is odd that your DSL provider is using EAPOL because that is IEEE 802.1X that is designed for LAN or Wireless LAN usage, see https://en.wikipedia.org/wiki/IEEE_802.1X and https://community.cisco.com/t5/switching/eap-over-lan-eapol/td-p/1195337

You might want to check with your DSL provider that they don't mean they are using CHAP or PAP authentication within PPPoE or PPPoA which is more usual with DSL providers.

Which model of VMG4005 do you have please, as I can see user guides for 3 different models B50A, B50B and B60B ?

Merry Christmas and Happy New Year.

Tony

tonygibbs16

Hello @pengc99

If your DSL provider runs a RADIUS server in order to do authentication, then you might want to look at using something like Zyxel NXC, maybe connected on the LAN to your router, so that the NXC does the Authenticator role of IEEE 802.1x and then communicates with a RADIUS server, which could be at your ISP.
    - see https://support.zyxel.eu/hc/en-us/articles/360006418739-RADIUS-Authentication-with-802-1X

I hope that this is helpful.

Merry Christmas and Happy New Year.

Tony

tonygibbs16

Hello @pengc99

You could also try http://wire.cs.nctu.edu.tw/wire1x which is an open source implementation of IEEE 802.1x protocols.
     - the latest version of which is only on Microsoft Vista in 2012.
          - and it is only the Supplicant role of IEEE 802.1x, not the Authenticator role.

Therefore you might what to stick with a Zyxel WLAN controller like I mentioned earlier, to get the Authenticator role that could connect to a Radius server of your ISP.

I hope that this is helpful.

Merry Christmas and Happy New Year.

Tony

tonygibbs16

Hello @pengc99

There is a useful paper at https://networkradius.com/doc/FreeRADIUS%20Technical%20Guide.pdf about how RADIUS works.

Thinking about what section 2.2 of that paper (RADIUS components) says, if your router is already authentication against the DSLAM then the DSLAM should be communicating with your ISP's RADIUS servers.

However, if your ISP wants to authenticate each of the devices on you LAN, then you have to run a Supplicant on each of your LAN devices.

Are you sure that the VMG4005 will not already pass messages from a Supplicant through?
    - Maybe you need to use Wireshark to check...

Merry Christmas and Happy New Year.

Tony