GS1900-8 802.1x authorization
We've recently purchased ~100 of this switches. We were looking for a small desktop switch with 802.1x support as we've recently implemented NACVIEW for 802.1x computer authorization. In the specification there is and info that this switch supports 802.1x authorization, however we've tried all possible configuration options and we can't make it work. No authorization packets are sent from switch to Radius server, despite that all is set up according to manual. We've checked that with tcpdump on a router that is routing traffic between switch managment network and our radius server
Does this model really support IEEE 802.1X port based authentication?
I'am attaching config file from one of the devices. Did we made something wrong with configuration?
While looking in the config file we've noticed that commands are very simmilar to the ones we use in HP switches. Most of them are practicly identical, so we don't understand why this authentication won't work on this GS1900 switch.
Accepted Solution
-
Update
The root cause is the length of the username is longer than 32 characters. We have help @smalinowski to solve this issue via ticket by providing a date code firmware.
This fix will be included in the next firmware release. Please stay tuned for further announcements on the switch new release category.
Zyxel Melen0
Zyxel Employee
All Replies
-
0
-
Hi @smalinowski,
GS1900 does support 802.1X port authentication. And your configuration of 802.1X part is correct.
I found your switch and Radius server are in different VLANs. Since you mentioned "No authorization packets are sent from switch to Radius server", could you help to check if the switch can ping to your Radius Server?
Zyxel Melen0 -
Yes they are in different VLANs, however the default gateway of the switch 192.168.49.129 route traffic between switch management network and radius server network. Pings are working fine. Additionally if we setup user authentication via the same radius server we see packets going out of the switch to radius server on radius port. It just won't work for port authorization.
0 -
We've also checked one thing. We've changed IP address of the switch so that he is now in the same VLAN and network as Radius server. No change. No authorization requests are comming from the switch to radius.
0 -
Hi @smalinowski,
My configuration is below, which is similar with yours, and my GS1900 will send Radius request to the Radius server.
The packets when I connect a laptop to port 2 of my GS1900:
Would you like to share your topology when you were testing the port authentication?
Zyxel Melen0 -
This is very interesting. Parallel to our conversation here, my friend opened a ticket on your support (ticket nr 427605) and there one of Zyxel employees mr. Jan Zelman said that GS1900 series does not support authentication of connected clients via Radius. He also said that Radius authentication on these GS1900 series is for administrator login only. This is hardware limitation of the chipset. He also said that we need at least GS1920 series to configure port-based authentication.
So which one of you is correct? Which exacly switch model did you used for the screenes above? GS1900-8 or GS1920-8 ? If you have GS1900-8 like we do why this doesn't work for us and it works for you?About the topology, we've tried it even when SWITCH and Radius serwer were in the same VLAN and the same subnet so communication between them was made without any routers in the middle. Result was the same. No packets were sent from switch to radius serwer.
0 -
Hi @smalinowski,
The model I used is GS1900-8. So, I think I'm the correct one.
We're using a similar configuration, but the results are different. This means the authentication process wasn't triggered on your test. This could be because:
- The PC didn't enable authentication.
- The PC connected to an 802.1X disable port.
- The switch can't find the Radius server. (This should not be possible since you can ping the Radius server from the switch.)
Could you share which port you connected the Radius server and the test PC?
Zyxel Melen0 -
Switch is connected to our network on port1 and the PC is connected to port 2 (you can see dot1x auto on that port).
Authentication on PC is ON because if we connect it to our network to diffrent switch (not Zyxel) 802.1x authorization is working.
0 -
Hi @smalinowski,
Thanks for your feedback. To investigate if the switch sent the RADIUS packets, please help to collect the packets by port mirror function. The screenshot below shows the steps to set the port mirror:
Please connect a PC to the monitor port and open the Wireshark to collect the packets. You may set the filter "radius || arp || EAP". And collect the running-configure again when you test in the same VLAN. Thanks in advance.
Zyxel Melen0 -
Update
The root cause is the length of the username is longer than 32 characters. We have help @smalinowski to solve this issue via ticket by providing a date code firmware.
This fix will be included in the next firmware release. Please stay tuned for further announcements on the switch new release category.
Zyxel Melen0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
