Web Authentication
Web authentication can intercept network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions. Once authentication is successful, they can then connect to the rest of the network or Internet.
The web authentication page only appears once per authentication session. Unless a user session times out or he/she closes the connection, he or she generally will not see it again during the same session.
Single Sign-On
A SSO (Single Sign On) agent integrates Domain Controller and Zyxel Device authentication mechanisms, so that users just need to log in once (single) to get access to permitted resources.
Forced User Authentication
Instead of making users for which user-aware policies have been configured go to the Zyxel Device Login screen manually, you can configure the Zyxel Device to display the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged in yet.
Note: This works with HTTP traffic only. The Zyxel Device does not display the Login screen when users attempt to send other kinds of traffic.
The Zyxel Device does not automatically route the request that prompted the login, however, so users have to make this request again.
Web Authentication General Screen
The Web Authentication General screen displays the general web portal settings and web authentication policies you have configured on the Zyxel Device. Use this screen to enable web authentication on the Zyxel Device.
label | Description |
|---|---|
Global Setting | |
Enable Web Authentication | Select the check box to turn on the web authentication feature. Otherwise, clear the check box to turn it off. Once enabled, all network traffic is blocked until a client authenticates with the Zyxel Device through the specifically designated web portal or user agreement page. |
Web Portal General Setting | |
Enable Session Page | Select this to display a page showing information on the user session after s/he logs in. It displays remaining time with an option to renew or log out immediately. |
Logout IP | Specify an IP address that users can use to terminate their sessions manually by entering the IP address in the address bar of the web browser. |
User Agreement General Setting | |
Enforce data collection | Select this to require users to fill in their registration information (name, telephone number, address and email address) on the User Agreement (PC or mobile) page. |
Exceptional Services | Use this table to list services that users can access without logging in. Click Add to change the list’s membership. A screen appears. Available services appear on the left. Select any services you want users to be able to access without logging in and click the right arrow button to add them. The member services are on the right. Select any service that you want to remove from the member list, and click the left arrow button to remove them. Keeping DNS as a member allows users’ computers to resolve domain names into IP addresses. In the table, select one or more entries and click Remove to delete it or them. |
Web Authentication Policy Summary | Use this table to manage the Zyxel Device’s list of web authentication policies. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Move | To move an entry to a different number in the list, click the Move icon. In the field that appears, specify the number to which you want to move the interface. |
# | This field is a sequential value showing the number of the profile. The profile order is not important. |
Status | This icon is lit when the entry is active and dimmed when the entry is inactive. |
Priority | This is the position of the authentication policy in the list. The priority is important as the policies are applied in order of priority. Default displays for the default authentication policy that the Zyxel Device uses on traffic that does not match any exceptional service or other authentication policy. You can edit the default rule but not delete it. |
Incoming Interface | This field displays the interface on which packets for this policy are received. |
Source | This displays the source address object, including geographic address and FQDN (group) objects, to which this policy applies. |
Destination | This displays the destination address object, including geographic address and FQDN (group) objects, to which this policy applies. |
Schedule | This field displays the schedule object that dictates when the policy applies. none means the policy is active at all times if enabled. |
Authentication | This field displays the authentication requirement for users when their traffic matches this policy. unnecessary - Users do not need to be authenticated. required - Users need to be authenticated. They must manually go to the login screen or user agreement page. The Zyxel Device will not redirect them to the login screen. force - Users need to be authenticated. The Zyxel Device automatically displays the login screen or user agreement page whenever it routes HTTP traffic for users who have not logged in yet. |
Authentication Type | This field displays the name of the authentication type profile used in this policy to define how users authenticate their sessions. It shows n/a if Authentication is set to unnecessary. |
Description | If the entry has a description configured, it displays here. This is n/a for the default policy. |
Apply | Click this button to save your changes to the Zyxel Device. |
Reset | Click this button to return the screen to its last-saved settings. |
Creating Exceptional Services
This screen lists services that users can access without logging in.You can change the list’s membership here. Available services appear on the left. Select any services you want users to be able to access without logging in and click the right arrow button -> to add them. The member services are on the right. Select any service that you want to remove from the member list, and click the left arrow <- button to remove them. Then click OK to apply the changes and return to the main Web Authentication screen. Alternatively, click Cancel to discard the changes and return to the main Web Authentication screen.
Creating/Editing an Authentication Policy
Use this screen to configure an authentication policy.
label | Description |
|---|---|
Create new Object | Use to configure any new settings objects that you need to use in this screen. Select Address or Schedule. |
Enable Policy | Select this check box to activate the authentication policy. This field is available for user-configured policies. |
Description | Enter a descriptive name of up to 60 printable ASCII characters for the policy. Spaces are allowed. This field is available for user-configured policies. |
User Authentication Policy | Use this section of the screen to determine which traffic requires (or does not require) the senders to be authenticated in order to be routed. |
Incoming Interface | Select the interface on which packets for this policy are received. |
Source Address | Select a source address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. Select any if the policy is effective for every source. This is any and not configurable for the default policy. |
Destination Address | Select a destination address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. Select any if the policy is effective for every destination. This is any and not configurable for the default policy. |
Schedule | Select a schedule that defines when the policy applies. Otherwise, select none and the rule is always effective. This is none and not configurable for the default policy. |
Authentication | Select the authentication requirement for users when their traffic matches this policy. unnecessary - Users do not need to be authenticated. required - Users need to be authenticated. If Force User Authentication is selected, all HTTP traffic from unauthenticated users is redirected to a default or user-defined login page. Otherwise, they must manually go to the login screen. The Zyxel Device will not redirect them to the login screen. |
Single Sign-on | This field is available for user-configured policies that require Single Sign-On (SSO). Select this to have the Zyxel Device enable the SSO feature. You can set up this feature in the SSO screen. |
Force User Authentication | This field is available for user-configured policies that require authentication. Select this to have the Zyxel Device automatically display the login screen when users who have not logged in yet try to send HTTP traffic. |
Authentication Type | Select an authentication method. default-web-portal: the default login page built into the Zyxel Device. default-user-agreement: the default user agreement page built into the Zyxel Device. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
User-aware Access Control Example
You can configure many policies and security settings for specific users or groups of users. Users can be authenticated locally by the Zyxel Device or by an external (RADIUS) authentication server.
In this example the users are authenticated by an external RADIUS server at 172.16.1.200. First, set up the user accounts and user groups in the Zyxel Device. Then, set up user authentication using the RADIUS server. Finally, set up the policies in the table above.
Set Up User Accounts
Set up user accounts in the RADIUS server. This example uses the Web Configurator. If you can export user names from the RADIUS server to a text file, then you might configure a script to create the user accounts instead.
1 Click Configuration > Object > User/Group > User. Click the Add icon.
2 Enter the same user name that is used in the RADIUS server, and set the User Type to ext-user because this user account is authenticated by an external server. Click OK.
3 Repeat this process to set up the remaining user accounts.
Set Up User Groups
Set up the user groups and assign the users to the user groups.
1 Click Configuration > Object > User/Group > Group. Click the Add icon.
2 Enter the name of the group. In this example, it is “Finance”. Then, select Object/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK. Of course you could add more members later.
3 Repeat this process to set up the remaining user groups.
Set Up User Authentication Using the RADIUS Server
This step sets up user authentication using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and configure the Zyxel Device to use the authentication method. Finally, force users to log into the Zyxel Device before it routes traffic for them.
1 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Configure the RADIUS server’s address, authentication port (1812 if you were not told otherwise), and key. Click OK.
2 Click Configuration > Object > Auth. Method. Double-click the default entry. Click the Add icon. Select group radius because the Zyxel Device should use the specified RADIUS server for authentication. Click OK.
3 Click Configuration > Web Authentication. In the Web Authentication > General screen, select Enable Web Authentication to turn on the web authentication feature and click Apply.
4 In the Web Authentication Policy Summary section, click the Add icon to set up a default policy that has priority over other policies and forces every user to log into the Zyxel Device before the Zyxel Device routes traffic for them.
5 Select Enable Policy. Enter a descriptive name, “default_policy” for example. Set the Authentication field to required, and make sure Force User Authentication is selected. Select an authentication type profile (“default-web-portal” in this example). Keep the rest of the default settings, and click OK.
Note: The users must log in at the Web Configurator login screen before they can use HTTP or MSN.
When the users try to browse the web (or use any HTTP application), the login screen appears. They have to log in using the user name and password in the RADIUS server.
User Group Authentication Using the RADIUS Server
The previous example showed how to have a RADIUS server authenticate individual user accounts. If the RADIUS server has different user groups distinguished by the value of a specific attribute, you can make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defined in the RADIUS server.
1 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Besides configuring the RADIUS server’s address, authentication port, and key; set the Group Membership Attribute field to the attribute that the Zyxel Device is to check to determine to which group a user belongs. This example uses Class. This attribute’s value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss.
2 Now you add ext-group-user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click Configuration > Object > User/Group > User. Click the Add icon.
Enter a user name and set the User Type to ext-group-user. In the Group Identifier field, enter Finance, Engineer, Sales, or Boss and set the Associated AAA Server Object to radius.
3 Repeat this process to set up the remaining groups of user accounts.
Authentication Type Screen
Use this screen to view, create and manage the authentication type profiles on the Zyxel Device. An authentication type profile decides which type of web authentication pages to be used for user authentication.
Label | Description |
|---|---|
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
# | This field is a sequential value, and it is not associated with a specific entry. |
Name | This field displays the name of the profile. default-web-portal: the default login page built into the Zyxel Device.  You can also customize the default login page built into the Zyxel Device in the System > WWW > Login Page screen.default-user-agreement: the default user agreement page built into the Zyxel Device. |
Type | This field displays the type of the web authentication page used by this profile. |
Web Page | This field displays whether this profile uses the default web authentication page built into the Zyxel Device (System Default Page) or custom web authentication pages from an external web server (External Page). |
Reset | Click Reset to return the screen to its last-saved settings. |
Add/Edit an Authentication Type Profile
The screen differs depending on what you select in the Type field.
label | Description |
|---|---|
Type | Select the type of the web authentication page through which users authenticate their connections. If you select User Agreement, by agreeing to the policy of user agreement, users can access the Internet without a guest account. |
Profile Name | Enter a name for the profile. You can use up to 31 alphanumeric characters (A-Z, a-z, 0-9) and underscores (_). Spaces are not allowed. The first character must be a letter. |
The following fields are available if you set Type to Web Portal. | |
Internal Web Portal | Select this to use the web portal pages uploaded to the Zyxel Device. The login page appears whenever the web portal intercepts network traffic, preventing unauthorized users from gaining access to the network. |
Preview | Select to display the page you uploaded to the Zyxel Device in a new frame. You must select a custom file uploaded to the Zyxel Device before you can preview the pages. |
Customize file | Select the file name of the web portal file in the Zyxel Device. You can upload zipped custom web portal files to the Zyxel Device using the Configuration > Web Authentication > Web Portal Customize File screen. |
External Web Portal | Select this to use a custom login page from an external web portal instead of the one uploaded to the Zyxel Device. You can configure the look and feel of the web portal page. |
Login URL | Specify the login page’s URL; for example, http://IIS server IP Address/login.html. The Internet Information Server (IIS) is the web server on which the web portal files are installed. |
Logout URL | Specify the logout page’s URL; for example, http://IIS server IP Address/logout.html. The Internet Information Server (IIS) is the web server on which the web portal files are installed. |
Welcome URL | Specify the welcome page’s URL; for example, http://IIS server IP Address/welcome.html. Users will be redirected to the welcome page after authentication. This field is optional. The Internet Information Server (IIS) is the web server on which the web portal files are installed. |
Session URL | Specify the session page’s URL; for example, http://IIS server IP Address/session.html. The Internet Information Server (IIS) is the web server on which the web portal files are installed. |
Error URL | Specify the error page’s URL; for example, http://IIS server IP Address/error.html. The Internet Information Server (IIS) is the web server on which the web portal files are installed. |
Download | Click this to download an example external web portal file for your reference. |
The following fields are available if you set Type to User Agreement. | |
Enable Idle Detection | This is applicable for access users. Select this check box if you want the Zyxel Device to monitor how long each access user is logged in and idle (in other words, there is no traffic for this access user). The Zyxel Device automatically logs out the access user once the Idle timeout has been reached. |
Idle timeout | This is applicable for access users. This field is effective when Enable Idle Detection is checked. Type the number of minutes each access user can be logged in and idle before the Zyxel Device automatically logs out the access user. |
Reauthentication Time | Enter the number of minutes the user can be logged into the Zyxel Device in one session before having to log in again. |
Internal User Agreement | Select this to use the user agreement pages in the Zyxel Device. The user agreement page appears whenever the Zyxel Device intercepts network traffic, preventing unauthorized users from gaining access to the network. |
Preview | Select to display the page you uploaded to the Zyxel Device in a new frame. You must select a custom file uploaded to the Zyxel Device before you can preview the pages. |
Customize file | Select the file name of the user agreement file in the Zyxel Device. You can upload zipped custom user agreement files to the Zyxel Device using the Configuration > Web Authentication > User Agreement Customize File screen. |
External User Agreement | Select this to use custom user agreement pages from an external web server instead of the default one built into the Zyxel Device. You can configure the look and feel of the user agreement page. |
Agreement URL | Specify the user agreement page’s URL; for example, http://IIS server IP Address/logout.html. The Internet Information Server (IIS) is the web server on which the user agreement files are installed. |
Welcome URL | Specify the welcome page’s URL; for example, http://IIS server IP Address/welcome.html. The Internet Information Server (IIS) is the web server on which the user agreement files are installed. If you leave this field blank, the Zyxel Device will use the welcome page of internal user agreement file. |
Download | Click this to download an example external user agreement file for your reference. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
Custom Web Portal / User Agreement File Screen
Use this screen to upload the zipped custom web portal or user agreement files to the Zyxel Device. You can also download the custom files to your computer. The following table describes the labels in this screen.
label | Description |
|---|---|
Remove | Click a file’s row to select it and click Remove to delete it from the Zyxel Device. |
Download | Click a file’s row to select it and click Download to save the zipped file to your computer. |
# | This column displays the index number for each file entry. This field is a sequential value, and it is not associated with a specific entry. |
File Name | This column displays the label that identifies a web portal or user agreement file. |
Size | This column displays the size (in KB) of a file. |
Last Modified | This column displays the date and time that the individual files were last changed or saved. |
Browse / Upload | Click Browse... to find the zipped file you want to upload, then click the Upload button to put it on the Zyxel Device. |
Download | Click this to download an example external web portal or user agreement file for your reference. |
SSO Overview
The SSO (Single Sign-On) function integrates Domain Controller and Zyxel Device authentication mechanisms, so that users just need to log in once (single login) to get access to permitted resources.
Note: The Zyxel Device, the DC, the SSO agent and the AD server must all be in the same domain and be able to communicate with each other.
SSO does not support IPv6, LDAP or RADIUS; you must use it in an IPv4 network environment with Windows AD (Active Directory) authentication database.
You must enable Web Authentication in the Configuration > Web Authentication screen.
SSO - Zyxel Device Configuration
This section shows what you have to do on the Zyxel Device in order to use SSO.
Zyxel Device | SSO | ||
|---|---|---|---|
Screen | field | Screen | field |
Web Authentication > SSO | Listen Port | Agent Configuration Page > Gateway Setting | Gateway Port |
Web Authentication > SSO | Primary Agent Port | Agent Configuration Page | Agent Listening Port |
Object > User/Group > User > Add | Group Identifier | Agent Configuration Page > Configure LDAP/AD Server | Group Membership |
Object > AAA Server > Active Directory > Add | Base DN | Agent Configuration Page > Configure LDAP/AD Server | Base DN |
Object > AAA Server > Active Directory > Add | Bind DN | Agent Configuration Page > Configure LDAP/AD Server | Bind DN |
Object > User/Group > User > Add | User Name | Agent Configuration Page > Configure LDAP/AD Server | Login Name Attribute |
Object > AAA Server > Active Directory > Add | Server Address | Agent Configuration Page > Configure LDAP/AD Server | Server Address |
Network > Interface > Ethernet > wan (IPv4) | IP address | Agent Configuration Page > Gateway Setting | Gateway IP |
Configure the Zyxel Device to Communicate with SSO
Use Configuration > Web Authentication > SSO to configure how the Zyxel Device communicates with the Single Sign-On (SSO) agent.
The following table gives an overview of the objects you can configure.
LABEL | DESCRIPTION |
|---|---|
Listen Port | The default agent listening port is 2158. If you change it on the Zyxel Device, then change it to the same number in the Gateway Port field on the SSO agent too. Type a number ranging from 1025 to 65535. |
Agent PreShareKey | Type 8-32 printable ASCII characters or exactly 32 hex characters (0-9; a-f). The Agent PreShareKey is used to encrypt communications between the Zyxel Device and the SSO agent. |
Primary Agent | Type the IPv4 address of the SSO agent. The Zyxel Device and the SSO agent must be in the same domain and be able to communicate with each other. |
Primary Agent Port | Type the same port number here as in the Agent Listening Port field on the SSO agent. Type a number ranging from 1025 to 65535. |
Secondary Agent Address (Optional) | Type the IPv4 address of the backup SSO agent if there is one. The Zyxel Device and the backup SSO agent must be in the same domain and be able to communicate with each other. |
Secondary Agent Port (Optional) | Type the same port number here as in the Agent Listening Port field on the backup SSO agent if there is one. Type a number ranging from 1025 to 65535. |
Apply | Click this button to save your changes to the Zyxel Device. |
Reset | Click this button to return the screen to its last-saved settings |