[Zyxel Switch / XGS / GS 2xxx Series and higher] MAC Authentification with Active Directory. This Tutorial is based on Basic Active Directory Settings with Windows2019 Server and simple Structure:
First we must create / add a User, this user is the Client, in Example a device with MAC-Address “b827eb2550df” (a Raspberry PI)
We need to add a Zyxel Switch as RADIUS clients on the NPS Server
1) Open Active Directory Users and Computers: Start > All Programs > Administrative Tools > Active Directory Users and Computers.
2) Create a new user account. the username and password should be the MAC address of the connecting device. Note: Please check what the option in switch are supported and configure this we have the following options based on X/GS2xxx or higher:
Info to Settings that are possible:
Type the prefix that is appended to all MAC addresses sent to the RADIUS server for authentication. You can enter up to 32 printable ASCII characters.
If you leave this field blank, then only the MAC address of the client is forwarded to the RADIUS server.
Select the delimiter the RADIUS server uses to separate the pairs in MAC addresses used as the account user name (and password). You can select Dash (–), Colon (:), or None to use no delimiters at all in the MAC address.
Select the case (Upper or Lower) the RADIUS server requires for letters in MAC addresses used as the account user name (and password).
Select Static to have the Switch send the password you specify below or MAC-Address to use the client MAC address as the password.
Type the password the Switch sends along with the MAC address of a client for authentication with the RADIUS server. You can enter up to 32 printable ASCII characters except [ ? ], [ | ], [ ' ], [ " ] or [ , ].
Specify the amount of time before the Switch allows a client MAC address that fails authentication to try and authenticate again. Maximum time is 3000 seconds.
When a client fails MAC authentication, its MAC address is learned by the MAC address table with a status of denied. The timeout period you specify here is the time the MAC address entry stays in the MAC address table until it is cleared. If you specify 0 for the timeout value, the Switch uses the Aging Time configured in the Switch Setup screen.
Here to this example Client MAC and Username is “b827eb2550df” the PI, this PI will send MAC & Password as same, this means User and PWD is: “b827eb2550df”.
That the user can be Authenticated by AD we need a Groupe for it:
So, User and Groupe are created, now we must configure NPS.
All switches that that need to authenticate a client need to add to NPS as Radius Client.
1) Open the NPS Server Console by going to Start > Programs > Administrative Tools > Network Policy Server.
2) In the Left pane, expand the RADIUS Clients and Servers option.
3) Right click the RADIUS Clients option and select New.
4) Enter a Name for the Zyxel-Switch.
5) Enter the the IP Address of your Zyxel Switch.
6) Create and enter a RADIUS Shared Secret.
7) Press OK when finished.
8) Repeat these steps for all switches that will be used for MAC-Auth.
Now we need a NPS Connection Request Policy.
With the settings to Windows Groupe and NAS Port Type:
With the Auth Method in settings:
Now we can go on with Switch Config.
We must add First the AAA Server:
- Refer to Nr 6 NPS setting is Shared Secret => Set IP and enter a RADIUS Shared Secret.
Now we must enable Port on which MAC-Auth should be used:
(Here example the PI is connected to Port 16)
I do verification with Wireshark, and its working:
You can also use Domain-Log, you will see same:
After configuring the switch you should always save your new configuration on the switch.
Otherwise, the switch will lose the changes after a reboot.
Switch Configuration Lost After Power Outage or Power Cycle Issue
Setup Assistance, you´re looking for assisted configuration by our Professional Services Team? Please check here: Zyxel ConfigService Switch
Article is closed for comments.