RADIUS Attributes Port Authentication MAC Auth

DS_net
DS_net Posts: 10
First Anniversary First Comment
edited August 2022 in Switch

Hi

we recently noticed some strange/wrong radius attributes when doing MAC-Auth instead of 802.1X.

The RADIUS attributes are different while most are missing when MAC-Auth is enabled.

An example is NAS-IP-Adress and Client-IP-Adress are misused.

The actual NAS is used as Client-IP if MAC-Auth is enabled.

Also Port-Type "Ethernet" is missing.

On windows NPS we had to create additional Connection Request and Network Policies.


We would also like to use 802.1X supplicant of the switch to secure the uplink.

Eventually also a "multi host mode" so that the first MAC-Auth opens the port and following MACs on the port do not need to authenticate (e.g. if an AP is connected via MAC-Auth).


Switch used: GS1920-8HPv2 with recent firmware

Regards

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    edited June 2019

    Hi @DS_net

    I am not sure if you want to configure 802.1X or MAC-Auth.

    To enable por authentication, first activate the port authentication method om the switch and the port, then configure the RADIUS server settings in the AAA > RAdius set up screen.

    Click Advanced Application > Port Authentication in the navigation panel to display the screen. Select 802.1X


    Regards

  • DS_net
    DS_net Posts: 10
    First Anniversary First Comment
    edited June 2019

    We want to secure all ports of the zyxel to use 802.1x port authentication so the attached PCs have to log in. On some ports we have to setup mac-auth because of missing 802.1x support of the client devices (e.g. an AP).

    To secure the uplink of the switch we want to use 802.1x also - so the switch should use 802.1x on its uplink to secure this connection.

    The switch should get credentials to 802.1x login on its upstream switch.

  • Zyxel小編 Lucious
    Zyxel小編 Lucious Posts: 278  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hello @DS_net


    1.

    About current RADIUS attribute from Zyxel switch:

    There are user, password, identifier attributes when using MAC-Authentication.

    When using Port-Authentication, switch's IP is used as NAS IP.

    It seems to us that it should be possible to authenticate with Windows NPS with only username & password.

    2.

    As for your saying "a "multi host mode" so that the first MAC-Auth opens the port and following MACs on the port do not need to authenticate (e.g. if an AP is connected via MAC-Auth)",

    We're assuming the security concern here is to prevent someone from disconnecting the AP and link with some kind of malicious attack to your intranet, is that the case?


    Zyxel_Lucious

  • DS_net
    DS_net Posts: 10
    First Anniversary First Comment

    1.

    We know how to configure it.

    I just want to report the described BUG. Radius attributes are fine with 802.1x port auth but are wrong with MAC-port-auth. In MAC-port-auth the actual NAS-IP is written into the Client-IP Radius attribute which the switch sends to the radius server. Also other attributes are missing e.g. Port-Type "Ethernet".

    2.

    Our customer has security concerns. We know it's no real security feature due to mac-spoofing.

    It is correct that we want to secure the port of an Wifi AP.

    The Switch tries to MAC-Auth those Wifi clients if we enable MAC-Auth on the port.


    3.

    We also want to secure the uplink of the switch therefore the switch has to support 802.1x supplicant/client.

    At the moment we activated MAC-Auth on the upstream switch. In some cases the first Mac on the upstream port (which should authenticate) is not not the MAC of the switch. We also noticed that the switch has two MAC-Addresses.


    Regards

  • Zyxel小編 Lucious
    Zyxel小編 Lucious Posts: 278  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hi @DS_net


    The attributes we've got in MAC-Auth packet are as following

    Are you suggesting that the wrong attribute is when you using MAC + Port Auth on the port?

    If possible, can you provide the packet capture / screenshot for us?


    Zyxel_Lucious

  • DS_net
    DS_net Posts: 10
    First Anniversary First Comment
    edited June 2019

    Hi,

    if I activate MAC-Auth as the only Port-Auth (802.1x disabled) I get:

    If I activate 802.1x only I get:


  • Zyxel小編 Lucious
    Zyxel小編 Lucious Posts: 278  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited June 2019

    Hi @DS_net

    1.

    Based on your screenshots, we wonder if there is a chance that Client-IP attribute is actually referred to the source IP of packet since we've seen no Client-IP attribute in our packet , neither MAC-Auth nor 802.1x.

    Nevertheless, what specific impact does this issue cause?

    2.

    "Multi host mode for MAC Authentication" is currently not supported on our switch.

    We will suggest initiating MAC/802.1x authentication by AP itself according to the given scenario.


    Zyxel_Lucious

  • DS_net
    DS_net Posts: 10
    First Anniversary First Comment
    edited June 2019

    Hi,

    1. This issue causes that I have to create additional NPS rules for the Zyxel switches because they don't send port type "Ethernet" and NAS IP. In some usecases the NAS-IP would be important as you can see here:

    Client IP is actually the RADIUS-Client IP (which could be a NAT or WAN IP)

    The WIFI/LAN clients, in this case called supplicants, can't have an IP if they aren't authenticated.


    2. This issue causes that we had to patch the APs to Cisco Switches which support multi-host with MAC-Auth. (other option would be to get APs which support 802.1x supplicant but most don't support it)


    3. The issue that the Switches do not support 802.1x supplicant made us activate MAC-Auth on the now upstream Cisco switches. Problem is if we restart the Cisco the MAC of the next packet of the Zyxel switch gets authenticated which often is not the MAC of the switch but one of the attached devices.

    So most important feature would be 802.1x supplicant of the Zyxel switches.

    Additional issues could be seen as bug reports or feature requests.


    Regards

  • Zyxel小編 Lucious
    Zyxel小編 Lucious Posts: 278  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited June 2019

    Hi @DS_net

    1.

    Appreciated for the kind explanation, your concern is understandable.

    We'll forward to the internal for further discussion.

    In the meantime, we may need the detail of your scenario for verification.

    I will PM to collect info if you're fine with it.

    2. & 3.

    According to our test, MAC authentication process is depending on which packet being firstly forwarded to the authenticator (port), not always the major supplicant (in your case, switch/AP), sometimes the attached client.

    Is your AP always the first supplicant during MAC-auth to Cisco switch?

    Moreover, in Cisco's multi-host mechanism, does it have to be the major supplicant to firstly "open" the port?


    Zyxel_Lucious

  • DS_net
    DS_net Posts: 10
    First Anniversary First Comment

    Hi Lucious,

    1. Sure I will send details. In our case this behaviour was no big issue but it could be for others.
    2. and 3. This behaviour should be the case on any switch and vendor. The main issue that made us switch to brand C. in this cas is that they support multi host with MAC-Auth. Due to the fact that the AP is POE powered MAC-Auth works pretty good and the MAC of the AP gets reliably authenticated.