How to get different privileges by RADIUS authentication:
In the ZyWALL USG, you can configure local users with different privileges such as admin, limited-admin, users and guests. This allows users to have different privileges when they login to the USG. For ext-user accounts, which are authenticated by an external RADIUS server, the USG sets the privilege for these accounts to “user” by default, if the RADIUS server doesn't have the user type information. How do we assign the user type as defined on the USG to the ext-user account on the RADIUS server so that the USG can get the user type once a RADIUS user has been authenticated? In this guide, we will show you how to configure a vendor-specific attribute to set user type for each user group on the RADIUS (NPS) server.
Configuration Guide:
1. Conditions
RADIUS server: Windows Server 2008 R2
Create three groups on the RADIUS server: csoadmin, csosecurity and csoguest. Add members in each group.
2. Goals to achieve
Assign the user type for each user group on the RADIUS server.
RADIUS Server Configuration
1. Go to Administrator Tools > Network Policy Server.
2. Select CSO_admin and go to Properties.
3. Go to Settings > RADIUS Attributes > Vendor Specific. Click on the Add button.
4. Select Vendor-Specific and click on the Add button.
5. Click on the Add button.
6. Enter ZyXEL’s vendor code: 890. Click on the Configure Attribute button.
7. You need to configure user type, lease-time and reauth-time in each attribute.
On the ZyXEL USG series, we support four types of users: admin, limited-admin, user and guest.
In this example, we set “admin” as the privilege of this group.
3. User type
Vendor-assigned attribute number: 1 Attribute format: String
Attribute value: admin
Lease-time
Vendor-assigned attribute number: 2 Attribute format: String
Attribute value: 0~1440
Reauth-time
Vendor-assigned attribute number: 3 Attribute format: String
Attribute value: 0-1440
8. User type, lease-time and reauth-time are configured in each attribute for the group CSO_admin.
9. Click on the Apply button to finish the privilege setting.
10. Repeat steps 1 to 9 to complete the vendor-specific attribute configuration for Network Policy CSO_guest and CSO_support.
4. Verification
Use the web authentication to check the user type of the logged-in user.
Topology
1. Place a check in the Enable Web Authentication checkbox on the USG.
2. Go to CONFIGURATION > Object > AAA Server > RADIUS and configure RADIUS server on the USG
3. Go to CONFIGURATION > Object > AAA Server > RADIUS and configure RADIUS server on the USG
4. Use the guest-level account “CSO_guest” and admin-level account “Bob” to log in to the device respectively
Test Result for account “CSO_guest”
Without configuring vendor-specific attributes for the group of the account “CSO_guest”, it belongs to the type “User” when you go to check the logged-in users in the USG.
After following the configuration guide to set the vendor-specific attribute for the group “CSO_guest” and using the same guest-level account “CSO_guest” to log in to the device again, the user type becomes “Guest”
Test Result for account “Bob”
Without configuring vendor-specific attributes for the group of the account “Bob”, it belongs to the type “User” when you go to check the logged-in users in the USG.
After following the configuration guide to set the vendor-specific attribute for the group “CSO_admin” and using the same admin-level account “Bob” to log in to the device again, the user type becomes “Administrator”.
5. Conclusion
By following this guide, you can assign different user types for RADIUS group accounts according to their privilege, just like the local users. ZyWALL USG will then get the user type, lease time, and re-auth time from the RADIUS server once the logged-in user is authenticated, which used to control access of services in the USG.
When you run into trouble, please try to solve it with the following guide: