Urgent! Security Advisory Notification - Firmware Upgrade advise for optimal protection & VPN and GUI Stability Issues

Read Article
English Български Čeština Dansk Deutsch Español Suomi Français Magyar Italiano Nederlands Norsk Polski Română Русский Slovenčina svenska Türkçe

MAC Authentification with Active Directory Security / Filtering icon

Avatar
  • Updated
Back to top

[Zyxel Switch / XGS / GS 2xxx Series and higher] MAC Authentification with Active Directory. This Tutorial is based on Basic Active Directory Settings with Windows2019 Server and simple Structure:

BaseDN: DC=ad,DC=local

First we must create / add a User, this user is the Client, in Example a device with MAC-Address “b827eb2550df” (a Raspberry PI)

 

Switch Setting

NPS Setting

Verification

 

Switch Setting:

We need to  add a Zyxel Switch as RADIUS clients on the NPS Server 

1) Open Active Directory Users and Computers: Start > All Programs > Administrative Tools > Active Directory Users and Computers. 

2) Create a new user account. the username and password should be the MAC address of the connecting device. Note: Please check what the option in switch are supported and configure this we have the following options based on X/GS2xxx or higher:

mceclip0.png

Info to Settings that are possible:

Name Prefix

Type the prefix that is appended to all MAC addresses sent to the RADIUS server for authentication. You can enter up to 32 printable ASCII characters.

If you leave this field blank, then only the MAC address of the client is forwarded to the RADIUS server.

Delimiter

Select the delimiter the RADIUS server uses to separate the pairs in MAC addresses used as the account user name (and password). You can select Dash (–), Colon (:), or None to use no delimiters at all in the MAC address.

Case

Select the case (Upper or Lower) the RADIUS server requires for letters in MAC addresses used as the account user name (and password).

Password Type

Select Static to have the Switch send the password you specify below or MAC-Address to use the client MAC address as the password.

Password

Type the password the Switch sends along with the MAC address of a client for authentication with the RADIUS server. You can enter up to 32 printable ASCII characters except [ ? ], [ | ], [ ' ], [ " ] or [ , ].

Timeout

Specify the amount of time before the Switch allows a client MAC address that fails authentication to try and authenticate again. Maximum time is 3000 seconds.

When a client fails MAC authentication, its MAC address is learned by the MAC address table with a status of denied. The timeout period you specify here is the time the MAC address entry stays in the MAC address table until it is cleared. If you specify 0 for the timeout value, the Switch uses the Aging Time configured in the Switch Setup screen.

Note:

If the Aging Time in the Switch Setup screen is set to a lower value, then it supersedes this setting.

 

Here to this example Client MAC and Username is “b827eb2550df” the PI, this PI will send MAC & Password as same, this means User and PWD is: “b827eb2550df”.

mceclip1.png

 

That the user can be Authenticated by AD we need a Groupe for it:

mceclip2.png

 

So, User and Groupe are created, now we must configure NPS.

 

NPS Settings:

All switches that that need to authenticate a client need to add to NPS as Radius Client.

1) Open the NPS Server Console by going to Start > Programs > Administrative Tools > Network Policy Server.
2) In the Left pane, expand the RADIUS Clients and Servers option.
3) Right click the RADIUS Clients option and select New.
4) Enter a  Name for the Zyxel-Switch.
5) Enter the the IP Address of your Zyxel Switch.
6) Create and enter a RADIUS Shared Secret.
7) Press OK when finished.
8) Repeat these steps for all switches that will be used for MAC-Auth.

mceclip3.png

 

Now we need a NPS Connection Request Policy.

mceclip4.png

With the settings to Windows Groupe and NAS Port Type:

mceclip5.png

With the Auth Method in settings:

mceclip6.png

Now we can go on with Switch Config.

 

We must add First the AAA Server:

mceclip7.png

  • Refer to Nr 6 NPS setting is Shared Secret => Set IP and enter a RADIUS Shared Secret.

 

Now we must enable Port on which MAC-Auth should be used:
(Here example the PI is connected to Port 16)

mceclip8.png

 

Verification:

I do verification with Wireshark, and its working:

mceclip9.png

 

You can also use Domain-Log, you will see same:

mceclip10.png

Done.

 

After configuring the switch you should always save your new configuration on the switch.
Otherwise, the switch will lose the changes after a reboot. 
Switch Configuration Lost After Power Outage or Power Cycle Issue

 

Setup Assistance, you´re looking for assisted configuration by our Professional Services Team? Please check here: Zyxel ConfigService Switch

 

Contact Us
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Related articles

Comments

0 comments

Article is closed for comments.