Zyxel VMG4005 EAPOL

Options
Hi, I have a Zyxel VMG4005 and I was trying to get it to work with my DSL provider. I can get it to train and synchronize with the DSLAM but my DSL provider uses EAPOL for authentication. I can't get the Zyxel VMG4005 to pass EAPOL frames so it can't get online.

Additionally, it looks like I would be able to enable the bridge to pass EAPOL frames, but it requires root access to the shell and passing a parameter:

echo 8 > /sys/class/net/brXXX/bridge/group_fwd_mask

However, the username "admin" only puts me in a ZySH shell and I don't have permissions to do anything in the ZySH shell.

The root password isn't know and it isn't set to the same as the admin password.

Does anyone know how to access the root shell on the modem, or to configure it to pass EAPOL frames?

All Replies

  • tonygibbs16
    tonygibbs16 Posts: 863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hello @pengc99

    It is odd that your DSL provider is using EAPOL because that is IEEE 802.1X that is designed for LAN or Wireless LAN usage, see https://en.wikipedia.org/wiki/IEEE_802.1X and https://community.cisco.com/t5/switching/eap-over-lan-eapol/td-p/1195337

    You might want to check with your DSL provider that they don't mean they are using CHAP or PAP authentication within PPPoE or PPPoA which is more usual with DSL providers.

    Which model of VMG4005 do you have please, as I can see user guides for 3 different models B50A, B50B and B60B ?

    Merry Christmas and Happy New Year.

    Tony
  • tonygibbs16
    tonygibbs16 Posts: 863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2020
    Options
    Hello @pengc99

    If your DSL provider runs a RADIUS server in order to do authentication, then you might want to look at using something like Zyxel NXC, maybe connected on the LAN to your router, so that the NXC does the Authenticator role of IEEE 802.1x and then communicates with a RADIUS server, which could be at your ISP.
        - see https://support.zyxel.eu/hc/en-us/articles/360006418739-RADIUS-Authentication-with-802-1X

    I hope that this is helpful.

    Merry Christmas and Happy New Year.

    Tony
  • tonygibbs16
    tonygibbs16 Posts: 863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2021
    Options
    Hello @pengc99

    You could also try http://wire.cs.nctu.edu.tw/wire1x which is an open source implementation of IEEE 802.1x protocols.
         - the latest version of which is only on Microsoft Vista in 2012.
              - and it is only the Supplicant role of IEEE 802.1x, not the Authenticator role.

    Therefore you might what to stick with a Zyxel WLAN controller like I mentioned earlier, to get the Authenticator role that could connect to a Radius server of your ISP.

    I hope that this is helpful.

    Merry Christmas and Happy New Year.

    Tony
  • tonygibbs16
    tonygibbs16 Posts: 863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2021
    Options
    Hello @pengc99

    There is a useful paper at https://networkradius.com/doc/FreeRADIUS%20Technical%20Guide.pdf about how RADIUS works.

    Thinking about what section 2.2 of that paper (RADIUS components) says, if your router is already authentication against the DSLAM then the DSLAM should be communicating with your ISP's RADIUS servers.

    However, if your ISP wants to authenticate each of the devices on you LAN, then you have to run a Supplicant on each of your LAN devices.

    Are you sure that the VMG4005 will not already pass messages from a Supplicant through?
        - Maybe you need to use Wireshark to check...

    Merry Christmas and Happy New Year.

    Tony 

Consumer Product Help Center