Zyxel Network Switch [XGS/GS2xxx] - Configure MAC Authentification with Active Directory on Zyxel Switches

[Zyxel Switch / XGS / GS 2xxx Series and higher] - MAC Authentication with Active Directory

This tutorial is centered on implementing MAC authentication with Active Directory, specifically tailored to Basic Active Directory settings using Windows Server 2019 with a straightforward structure:

BaseDN: DC=ad,DC=local

Initial Step: User Creation and Addition To commence the process, it is imperative to create and add a user, which will serve as the client. As an illustration, consider a device with the MAC address "b827eb2550df" (such as a Raspberry Pi). This user will play a key role in the authentication process outlined in the subsequent steps.

Switch Setting

We need to  add a Zyxel Switch as RADIUS clients on the NPS Server 

1) Open Active Directory Users and Computers: Start > All Programs > Administrative Tools > Active Directory Users and Computers. 

2) Create a new user account. the username and password should be the MAC address of the connecting device. Note: Please check what options in the switch are supported and configure this we have the following options based on X/GS2xxx or higher:

Configure the switch by navigating to 

SECURITY > Port Authentication > MAC Authentication

Then activate MAC Authentication, choose a MAC-address-based lowercase password type, and activate the MAC Authentication on the ports you'd like. Change the dash on the switch to none.

Settings that are possible:

Name Prefix Type the prefix that is appended to all MAC addresses sent to the RADIUS server for authentication. You can enter up to 32 printable ASCII characters.If you leave this field blank, then only the MAC address of the client is forwarded to the RADIUS server.
Delimiter Select the delimiter the RADIUS server uses to separate the pairs in MAC addresses used as the account user name (and password). You can select Dash (–), Colon (:), or None to use no delimiters at all in the MAC address.
Case Select the case (Upper or Lower) the RADIUS server requires for letters in MAC addresses used as the account user name (and password).
Password Type Select Static to have the Switch send the password you specify below or MAC-Address to use the client MAC address as the password.
Password Type the password the Switch sends along with the MAC address of a client for authentication with the RADIUS server. You can enter up to 32 printable ASCII characters except [ ? ], [ | ], [ ' ], [ " ] or [ , ].
Timeout Specify the amount of time before the Switch allows a client MAC address that fails authentication to try and authenticate again. Maximum time is 3000 seconds.When a client fails MAC authentication, its MAC address is learned by the MAC address table with a status of denied. The timeout period you specify here is the time the MAC address entry stays in the MAC address table until it is cleared. If you specify 0 for the timeout value, the Switch uses the Aging Time configured in the Switch Setup screen.
Note: If the Aging Time in the Switch Setup screen is set to a lower value, then it supersedes this setting.

Here in this example Client's MAC and Username are “b827eb2550df” The, PI will send the MAC and password as same, which means the User and PWD are: “b827eb2550df”. Ensure the Mac address is added as the user and password without any colons.mceclip1.png

  • When using a mac address as the password, you may need to edit the server password complexity requirements to remove any enforced minimum password requirements.
    Go to Server Manager, Tools in the upper right corner, Local Security Policy, Account Policy, Password Policy and change the Minimum Password Policy Length to none. Note: Make sure you enable this option after adding all Mac Address user accounts

  • That the user can be Authenticated by AD we need a Groupe for it:


So, User and Groupe are created, and now we must configure NPS.

NPS Settings

All switches that need to authenticate a client need to be added to NPS as Radius Client.

  • Open the NPS Server Console by going to Start > Programs > Administrative Tools > Network Policy Server
  • In the Left pane, expand the RADIUS Clients and Servers option.
  • Right-click the RADIUS Clients option and select New.
  • Enter a  Name for the Zyxel-Switch.
  • Enter the IP Address of your Zyxel Switch.
  • Create and enter a RADIUS Shared Secret.
  • Press OK when finished.
  • Repeat these steps for all switches that will be used for MAC-Auth.


Now we need an NPS Connection Request Policy.


With the settings to Windows Groupe and NAS Port Type:


With the Auth Method in settings:


Now we can go on with Switch Config.

We must add First the AAA Server by navigating to: 


  • Refer to Nr 6 NPS setting is Shared Secret => Set IP and enter a RADIUS Shared Secret.

Now we must enable the Port on which MAC-Auth should be used:
(Here example the PI is connected to Port 6):

Save your configuration to not lose the configuration after reboot:


I did verification with Wireshark, and it is working:


  • You can also use Domain-Log, you will see the same:


Note: After configuring the switch you should always save your new configuration on the switch.
Otherwise, the switch will lose the changes after a reboot
Switch Configuration Lost After Power Outage or Power Cycle Issue

Setup Assistance, you´re looking for assisted configuration by our Professional Services Team? Please check here: Zyxel ConfigService Switch


Articles in this section

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.