Radius group Filter Id

dejmal69
dejmal69 Posts: 16  Freshman Member
First Anniversary First Comment
edited April 2021 in Security
Hello,
I have a problem authenticating users using radius.
I pass the attributes user group and the user is correctly assigned to the group according to the attribute, but at the same time it is also included in the default group radius-users. Therefore, the Policy control rules do not work.
How to set the user to be only in the group by attribute?
USG40 latest FW V4.38
Thank you.

Best Answers

  • dejmal69
    dejmal69 Posts: 16  Freshman Member
    First Anniversary First Comment
    Answer ✓
    Hello,
    Thank You. I also contacted Zyxel official support. We had a TV session and the problem could not be solved. It seems like a bug.

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @dejmal69  

    You have to make sure RADIUS authentication has added into Auth. Method rule.

    Otherwise device will not send authentication request to external RADIUS server.

    (Configuration > Object > Auth. Method)

     

    And also you can setup user Group Identifier setting for your RADIUS group user.

     

    Then user object can be referenced by other functions. (i.g. L2TP/SSL VPN…etc)


  • dejmal69
    dejmal69 Posts: 16  Freshman Member
    First Anniversary First Comment
    Thank You for answer. I have the same setting. Authentication is ok, but group is ignored in firewall rules.
  • dejmal69
    dejmal69 Posts: 16  Freshman Member
    First Anniversary First Comment
    I have two groups. eg. host and home. I will set a lan to wan policy where the homegroup is set. I authenticate two devices. One home, one guest. But both have connections.
    The rule allows users from another group.
    When I'm there, I'll prepare screenshots.
  • dejmal69
    dejmal69 Posts: 16  Freshman Member
    First Anniversary First Comment
    Here are screenshots.

    Two users on two devices. Each in a different group

    Policy control. Only group radadmini is alowed.

    log. both devices are allowed by the same rule.



    That's a problem. It is necessary to restrict according to the rules of the user group. Otherwise, authentication does not make sense.
    Am I making a mistake somewhere? I suspect that the problem is because all users are authenticated to the default group at the same time




  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    @dejmal69

    It looks issue happen in Wireless client which authenticate by 802.1X.

    Currently we still analysis the symptom, and will let you know conclusion of this.

  • dejmal69
    dejmal69 Posts: 16  Freshman Member
    First Anniversary First Comment
    Answer ✓
    Hello,
    Thank You. I also contacted Zyxel official support. We had a TV session and the problem could not be solved. It seems like a bug.
  • dejmal69
    dejmal69 Posts: 16  Freshman Member
    First Anniversary First Comment
    Hello,

    Thank You very much.
  • dejmal69
    dejmal69 Posts: 16  Freshman Member
    First Anniversary First Comment
    Hello,
    Thanks for Your support. In WK24 fw is fixed this issue.

Security Highlight