User & Authentication
User/Group
This section describes how to set up user accounts, user groups, and user settings for the Zyxel Device. You can also set up rules that control when users have to log in to the Zyxel Device before the Zyxel Device routes traffic for them.
• The Group screen (see User/Group Group Summary Screen) provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. User groups may consist of access users and other user groups. You cannot put admin users in user groups.
• The Setting screen (see User/Group Setting Screen) controls default settings, login settings, lockout settings, and other user settings for the Zyxel Device. You can also use this screen to specify when users must log in to the Zyxel Device before it routes traffic for them.
What You Need To Know
User Account
A user account defines the privileges of a user logged into the Zyxel Device. User accounts are used in security policies and application patrol, in addition to controlling access to configuration and services in the Zyxel Device.
User Types
These are the types of user accounts the Zyxel Device uses.
Type | Abilities | Login Method(s) |
|---|---|---|
Local Administrator | ||
admin | Change the Zyxel Device settings (web, CLI) | WWW, SSH, FTP, Console |
viewer | Look at the Zyxel Device settings (web configurator, CLI) Perform basic diagnostics (CLI) | WWW, SSH, Console |
User | ||
user | Access network services | WWW |
External User (ext-user) | A user that is authenticated using an AD, LDAP or RADIUS authentication server. | WWW |
External Group User (ext-user) | A user group whose members are authenticated using an AD, LDAP or RADIUS authentication server. | WWW |
External User Accounts
Set up an ext-user account if the user is authenticated by an external server and you want to set up specific policies for this user in the Zyxel Device. If you do not want to set up policies for this user, you do not have to set up an ext-user account.
All ext-user users should be authenticated by an external server, such as AD, LDAP or RADIUS. If the Zyxel Device tries to use the local database to authenticate an ext-user, the authentication attempt always fails.
If the Zyxel Device tries to authenticate an ext-user using the local database, the attempt always fails.Once an ext-user user has been authenticated, the Zyxel Device tries to get the user type from the external server. If the external server does not have the information, the Zyxel Device sets the user type for this session to User.
For the rest of the user attributes, such as reauthentication time, the Zyxel Device checks the following places, in order.
1 User account in the remote server.
2 User account (Ext-User) in the Zyxel Device.
3 Default user account for AD users (ad-users), LDAP users (ldap-users) or RADIUS users (radius-users) in the Zyxel Device.
User Groups
User groups may consist of user accounts or other user groups. Use user groups when you want to create the same rule for several user accounts, instead of creating separate rules for each one.
You cannot put access users and admin users in the same user group.You cannot put the default admin account into any user group.The sequence of members in a user group is not important.
User/Group User Summary Screen
The User screen provides a summary of all user accounts.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Add | Click this to create a new entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Local Administrator | Use this table to view and configure the Zyxel Device admin accounts. |
Name | This field displays the user name of each user. |
User Type | This field displays the admin accounts the Zyxel Device uses. Admin accounts are users that can look at and change the configuration of the Zyxel Device. Viewer accounts are users that can just look at the configuration of the Zyxel Device. |
Description | This field displays the description for each user. |
Created Date | This field displays the date the account is created. This field displays - if the account is created before the Zyxel Device upgrades firmware to version 5.10 or later. |
Password Changed Date | This field displays the last time the user changed the account password. |
Reference | This displays the number of times an object reference is used in a profile. |
User | Use this table to configure the Zyxel Device: • User accounts. • Ext-user accounts. |
Name | This field displays the user name of each user. |
User Type | This field displays the types of user accounts the Zyxel Device uses: • User - this user has access to the Zyxel Device’s services and can also browse user-mode commands (CLI). • External (Group) User - this user account is maintained in a remote server, such as RADIUS or LDAP. |
Description | This field displays the description for each user. |
Created Date | This field displays the date the account is created. |
Password Changed Date | This field displays the last time the user changes the account password. |
Reference | This displays the number of times an object reference is used in a profile. |
User Add/Edit Screen
The User Add/Edit General screen allows you to create a new user account or edit an existing one.
Rules for User Names
Enter a user name from 1 to 30 characters.
The user name can only contain the following characters: [0-9][a-z][A-Z][(){}<>^`+/:!*#@&=$\.~%;-].
The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-). Other limitations on user names are:
• User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP, it will use the account settings used for 'BOB' not ‘bob’.
• User names have to be different than user group names.
Rules for Passwords
Enter a password from 4-63 characters.
The name can only contain the following characters: [0-9][a-z][A-Z][(){}<>^`+/:!*#@&=$\.~%;-].
It cannot contain these characters: ?|'",[] and spaces.
The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-). The following table describes the labels in this screen.
Label | Description |
|---|---|
User Name | Type the user name for this user account. You may use 1-30 alphanumeric characters, periods (.), at (@), underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User names have to be different than user group names, and some words are reserved. |
User Type | Select the type of user account the Zyxel Device uses for the Local Administrator account from the drop-down list box. • Admin- this user can configure the Zyxel Device settings using the web configurator or CLI. • Viewer- this user can only view the Zyxel Device settings using the web configurator and perform basic diagnostics for troubleshooting using the command line interface (CLI). Select the type of user account the Zyxel Device uses for the User account from the drop-down list box: • User - this user has access to the Zyxel Device’s services and can also browse user-mode commands (CLI). • External User - this user account is maintained on a remote server, such as RADIUS or LDAP. |
Password | This field is not available if you select the External User type. Enter a password consisting of 4 to 63 characters for this user account, including [0-9] [a-z] [A-Z] [’(){}<>^‘+/:!*#@&=$\.~%,|;-”]. If the Password Policy is enabled in the User & Authentication > User/Group > Setting screen, the password criteria might be different. See Password Policy Setting Screen for more information. |
Retype | This field is not available if you select the External User type. |
Description | Enter the description of each user, if any. You can use 1 to 30 single-byte characters, including 0-9a-zA-Z!”#$%’()*+,-/:;=?@_ &.<>[\]{|}^‘are not allowed. Default descriptions are provided. |
Email | Type one or more valid email addresses for this user so that email messages can be sent to this user if required. A valid email address must contain the @ character. For example, this is a valid email address: abc@example.com. |
Mobile Number | Type a valid mobile telephone number for this user so that SMS messages can be sent to this user if required. A valid mobile telephone number can be up to 20 characters in length, including the numbers 1~9 and the following characters in the square brackets [+*#()-]. |
Authentication Timeout Settings | If you want the system to use default settings, select Use Default Settings. If you want to set authentication timeout to a value other than the default settings, select Use Manual Settings then fill your preferred values in the fields that follow. |
Lease Time | If you select Use Default Settings in the Authentication Timeout Settings field, the default lease time is shown. If you select Use Manual Settings, you need to enter the number of minutes this user has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically , the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires. |
Reauthentication Time | If you select Use Default Settings in the Authentication Timeout Settings field, the default reauthentication time is shown. If you select Use Manual Settings, you need to type the number of minutes this user can be logged into the Zyxel Device in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time, the user has no opportunity to renew the session without logging out. |
Enable Two-Factor Authentication for Admin Access | This field is available when you are editing a local administrator account. Enable this to require double-layer security to access a secured network behind the Zyxel Device via the Web Configurator. |
Apply | Click Apply to save your customized settings and exit this screen. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
User/Group Group Summary Screen
User groups consist of access users and other user groups. You cannot put admin users in user groups. The Group screen provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. The following table describes the labels in this screen. See Group Add/Edit Screen for more information as well.
Label | Description |
|---|---|
Add | Click this to create a new entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Removing a group does not remove the user accounts in the group. |
Group Name | This field displays the name of each user group. |
Description | This field displays the description for each user group. |
Members | This field lists the members in the user group. Each member is separated by a comma. |
Reference | This displays the number of times an object reference is used in a profile. |
Group Add/Edit Screen
The Group Add/Edit screen allows you to create a new user group or edit an existing one.The following table describes the labels in this screen.
Label | Description |
|---|---|
Name | Type the name for this user group. You may use 2-30 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User group names have to be different than user names. |
Description | Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces. |
Add Object | Click this button to create a new user account. |
Search | Type an item in the search box, then click this to display all user accounts in the table below according to the item you typed. |
Select All | Select this to select all user accounts and user groups in the table. |
Member List | This list displays the names of the users and user groups that have been added to the user group. The order of members is not important. Select items from the list on the left that you want to be members and move them to the list on the right. Move any members you do not want included to the list on the left. |
Apply | Click Apply to save your customized settings and exit this screen. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
User/Group Setting Screen
The Setting screen controls default settings, login settings, lockout settings, and other user settings for the Zyxel Device. You can also use this screen to specify when users must log in to the Zyxel Device before it routes traffic for them.The following table describes the labels in this screen.
Label | Description |
|---|---|
User Default Settings | |
Default Authentication Timeout Settings | These authentication timeout settings are used by default when you create a new user account. They also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings. |
Edit | Select an entry and click this icon to modify it.  |
Save Changes | Click this icon to save the changes in this row.  |
Cancel Changes | Click this icon to cancel the changes in this row.  |
User Type | These are the kinds of user account the Zyxel Device supports. • admin - this user can look at and change the configuration of the Zyxel Device • user - this user has access to the Zyxel Device’s services but cannot look at the configuration • ext-user - this user account is maintained in a remote server, such as RADIUS or LDAP. • viewer - this user can look at the configuration of the Zyxel Device |
Lease Time | This is the default lease time in minutes for each type of user account. It defines the number of minutes the user has to renew the current session before the user is logged out. Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically, the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires. To edit the lease time, enter the number of minutes this type of user account has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. |
Reauthentication Time | This is the default reauthentication time in minutes for each type of user account. It defines the number of minutes the user can be logged into the Zyxel Device in one session before having to log in again. Unlike Lease Time, the user has no opportunity to renew the session without logging out. To edit the reauthentication time, enter the number of minutes this type of user account can be logged into the Zyxel Device in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. |
Miscellaneous Settings | |
Auto renew lease time | Enable to let access users renew lease time automatically. |
Admin User Type Login Security | |
Force change password | Enable to force local admin type users to change their password after the specified period of time when they log into the Zyxel Device. If the Password Policy is enabled, you will then be required to change your password to comply with the new rules. |
Period | Enter how often users must change their password when they log into the Zyxel Device. You can choose from once a day to once a year. |
Password Policy | |
Enabled | Enable this to set minimum length and character rules for the web configurator login password. The new password rules will take effect the next time you change your password. |
Name | This field displays the user name of the account. |
Setting | Click this to set minimum length and character rules for the web configurator login password. See Password Policy Setting Screen for more information. |
User Logon Settings | |
Limit simultaneous admin logons enable | Enable to set a limit on the number of simultaneous logins by admin users. If you do not select this, admin users can login as many times as they want at the same time using the same or different IP addresses. |
Maximum number per admin account | Type the maximum number of simultaneous logins by each admin user. |
Limit the simultaneous access logons enable | Select this check box if you want to set a limit on the number of simultaneous logins by non-admin users. If you do not select this, access users can login as many times as they want as long as they use different IP addresses. |
Maximum number per access account | Type the maximum number of simultaneous logins by each access user. |
Reach maximum number per account | Set the action the Zyxel Device will take when the limit you set for the numbers of simultaneous logins by admin users or non-admin users has exceeded. Select Block to have the Zyxel Device block any accounts that try to log in. Select Remove previous user and login to have the Zyxel Device remove the most recently login account |
User Lockout Settings | |
Enable logon retry limit enable | Enable to set a limit on the number of times each user can login unsuccessfully (for example, wrong password) before the IP address is locked out for a specified amount of time. |
Maximum retry count | This field is effective when Enable logon retry limit is checked. Type the maximum number of times each user can login unsuccessfully before the IP address is locked out for the specified lockout period. The number must be between 1 and 99. |
Lockout period | This field is effective when Enable logon retry limit is checked. Type the number of minutes the user must wait to try to login again, if logon retry limit is enabled and the maximum retry count is reached. This number must be between 1 and 65,535 (about 45.5 days). |
Apply | Click Apply to save the changes. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
Password Policy Setting Screen
The Password Policy Setting screen allows you to set minimum length and character rules for the web configurator login password.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Enable | Enable this to set the following rules on the web configurator login password. |
Minimum password length | Enable this and enter a number from 4-20 to specify the minimum number of characters for the web configurator login password. |
At least one upper case | Enable this to require the web configurator login password to include at least one uppercase letter (A-Z). |
At least one digit | Enable this to require the web configurator login password to include at least one number (0-9). |
At least one special character | Enable this to require the web configurator login password to include at least one special character, including ['`"~!@#$%^&*()\_-+={}|,<>/:;.]. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
User Authentication Overview
This section describes how to set up AAA server and two-factor authentication.
What You Need To Know
AAA Servers Supported by the Zyxel Device
The following lists the types of authentication server the Zyxel Device supports.
• Local user database
The Zyxel Device uses the built-in local user database to authenticate administrative users logging into the Zyxel Device’s Web Configurator or network access users logging into the network through the Zyxel Device. You can also use the local user database to authenticate VPN users.
• Directory Service (LDAP/AD)
LDAP (Lightweight Directory Access Protocol)/AD (Active Directory) is a directory service that is both a directory and a protocol for controlling access to a network. The directory consists of a database specialized for fast information retrieval and filtering activities. You create and store user profile and login information on the external server.
• RADIUS
RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external or built-in RADIUS server. RADIUS authentication allows you to validate a large number of users from a central location.
Directory Structure
The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the directory structure reflects the geographical or organizational boundaries.
Distinguished Name (DN)
A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas. The leftmost attribute is the Relative Distinguished Name (RDN). This provides a unique name for entries that have the same “parent DN” (“cn=domain1.com, ou=Sales, o=MyCompany” in the following examples).
cn=domain1.com, ou = Sales, o=MyCompany, c=US
cn=domain1.com, ou = Sales, o=MyCompany, c=JP
Base DN
A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and/or country. For example, o=MyCompany, c=UK where o means organization and c means country.
Bind DN
A bind DN is used to authenticate with an LDAP/AD server. For example a bind DN of cn=zywallAdmin allows the Zyxel Device to log into the LDAP/AD server using the user name of zywallAdmin. The bind DN is used in conjunction with a bind password. When a bind DN is not specified, the Zyxel Device will try to log in as an anonymous user. If the bind password is incorrect, the login will fail.
AAA Server Overview
You can use an AAA (Authentication, Authorization, Accounting) server to control access to your network. A Zyxel Device AAA server can be a Windows Active Directory (AD), a Lightweight Directory Access Protocol (LDAP) server or a RADIUS server, Use the AAA Server screens to create and manage objects that contain settings for using AAA servers. You can use AAA server objects in configuring IPSec VPN and SSL VPN rules.
Use RADIUS, AD and LDAP servers to authenticate users instead of (or in addition to) an internal Zyxel Device user database that is limited to the memory capacity of the Zyxel Device. In essence, AAA servers allow you to authenticate a large number of users from a central location.
AAA Server Configuration
Use the AAA Server screen to manage AD servers, LDAP servers and RADIUS servers the Zyxel Device can use in authenticating users.
Click User & Authentication > AAA Server to display the following screen.
The following table describes the labels in this screen.
label | description |
|---|---|
Add | Click this to create a new entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
References | Select an entry and click References to open a screen that shows which settings use the entry. |
Join Domain | Select an entry and click Join Domain to open a screen where you can add the AD server to the same domain as the Zyxel Device for central authentication management. See Join an AD Domain for more information. The Zyxel Device can only be joined to one AD domain at a time. Adding a new AD domain will replace existing domain associations.Ensure that the Domain Zone Forwarder configuration in the System > DNS & DDNS > DNS screen is correct before joining a domain. |
Remove From Domain | Select an entry and click Remove From Domain to remove the entry from the same domain as the Zyxel Device. The AD server is not isolated if it is not in the same domain as the Zyxel Device. You may do this for non-central authentication management such as when managing the Zyxel Device through NCC. |
Name | This field displays the name of the AD, LDAP or RADIUS server. |
Server Address | This is the address of the AD, LDAP or RADIUS server. |
Domain Name | This is the domain name of the AD, LDAP or RADIUS server. |
Reference | This is the number of times the entry is used in other settings. |
Add an AD Server
Use this screen to create a new AD server entry or edit an existing one.
The following table describes the labels in this screen.
label | description |
|---|---|
Configuration | |
Name | Enter a descriptive name for identification purposes. Use up to 31 single-byte characters, including 0-9a-zA-Z_-. |
Description | Enter the description of each server, if any. The value cannot exceed 61 characters. Valid characters are [0-9][a-z][A-Z]['()+,/:=?;!*#@$_%-"]. |
Server Settings | |
Server Address | Enter the IPv4 address of the AD server. |
Backup Server Address | If the AD server has a backup server, enter its address here. |
Port | Specify the port number on the AD or LDAP server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535. This port number should be the same on all AD server(s) in this group. |
Use SSL | Select Use SSL to establish a secure connection to the AD server(s) from the Zyxel Device. |
Search time limit | Specify the timeout period (between 1 and 300 seconds) before the Zyxel Device disconnects from the AD server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the AD server(s) or the AD server(s) is down. |
Case-sensitive User Names | Select this if the AD server checks the case of usernames. |
Server Authentication | |
Domain Name | Enter the domain name to which AD server belongs. The Zyxel Device uses this to access the AD server. |
User Name | Enter the user name that the Zyxel Device uses to access the AD server. |
Password | Enter the password that the Zyxel Device uses to access the AD server. |
Retype to Confirm | Retype your new password for confirmation. |
Advanced Settings | |
User Attributes | |
Search Base | An Active Directory server has a hierarchical structure for user account entries. The search base is where the search starts for user account entries. This can help to make the authentication procedure faster. To limit the search to begin in a container beneath the root of the domain, you must specify the fully-qualified name of the container in comma-delimited form. Start with the name of the base container and progress to the root of the domain. The search string is not case-sensitive; you can use either uppercase or lowercase letters. The entry cannot exceed 128 characters. Valid characters are [0-9][a-z][A-Z][_(){}<>^`+/:!*#@&=$. ~%,;]. |
Login Name Attribute | Enter the type of identifier the users are to use to log in. For example “name” or “email address” |
Alternative Login Name Attribute | If there is a second type of identifier that the users can use to log in, enter it here. For example “name” or “email address”. |
Group Membership Attribute | An AD server defines attributes for its accounts. Enter the name of the attribute that the Zyxel Device is to check to determine to which group a user belongs. The value for this attribute is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values. For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”. |
Configuration Validation | |
User Name | Enter an existing user account in this server to validate the above settings. Click the Test button |
Apply | Click Apply to save the changes. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
Join an AD Domain
Use the Join AD Domain screen to add the AD server to the same domain as the Zyxel Device for central authentication management.
The following table describes the labels in this screen.
label | description |
|---|---|
Associated AD Server Object | This field shows the name of the AD server object. |
AD Domain Name | This field shows the AD server domain name you want the Zyxel Device to join. |
NetBIOS Domain Name | Type the NetBIOS name. This field is required by the AD server to join its AD domain. NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN which allows local computers to find computers on the remote network and vice versa. The name must begin with a letter and cannot exceed 15 characters. Valid characters are [0-9][a-z][A-Z][_-.]. |
User Name | Enter the user name for the Zyxel Device to access the AD server. The value must be 1 to 20 characters long. Valid characters are [0-9][a-z][A-Z][_(){}<>[]^`+/:!*#@&=$\?.~%,|;-'" ]. |
Password | Enter the password associated with the user name. The value must be 4 to 63 characters long. Valid characters are [0-9][a-z][A-Z][_(){}<>^`+/:!*#@&=$\?.~%,|;-'"]. |
Retype to Confirm | Retype the password you entered in the Password field to confirm. |
Apply | Click Apply to save the changes. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
Add an LDAP Server
Use this screen to create a new LDAP server entry or edit an existing one.
The following table describes the labels in this screen.
label | description |
|---|---|
Configuration | |
Name | Enter a descriptive name for identification purposes. Use up to 31 single-byte characters, including 0-9a-zA-Z_-. |
Description | Enter the description of each server, if any. Use up to 61 single-byte characters, including 0-9a-zA-Z'()+,/:=?;!*#@$_%-". |
Server Settings | |
Server Address | Enter the IPv4 address of the LDAP server. |
Backup Server Address | If the LDAP server has a backup server, enter its address here. |
Port | Specify the port number on the LDAP server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535. This port number should be the same on all LDAP server(s) in this group. |
Base DN | A base DN is the point from where a server will search for users. The entry cannot exceed 128 characters. Valid characters are [0-9][a-z][A-Z][_(){}<>^`+/:!*#@&=$. ~%,;]. |
Use SSL | Select Use SSL to establish a secure connection to the LDAP server(s). |
Search time limit | Specify the timeout period (between 1 and 300 seconds) before the Zyxel Device disconnects from the LDAP server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the LDAP server(s) or the LDAP server(s) is down. |
Case-sensitive User Names | Select this if you want configure your username as case-sensitive. |
Server Authentication | |
Bind DN | A bind DN is an object that you bind to inside LDAP to give you permission to make changes. The entry cannot exceed 128 characters. Valid characters are [0-9][a-z][A-Z][_(){}<>^`+/:!*#@&=$. ~%,;]. |
Password | Enter the password that the Zyxel Device uses to access the LDAP server. |
Retype to Confirm | Retype your new password for confirmation. |
Advanced Settings | |
User Attributes | |
Login Name Attribute | Enter the type of identifier the users are to use to log in. For example “name” or “email address”. |
Alternative Login Name Attribute | If there is a second type of identifier that the users can use to log in, enter it here. For example “name” or “email address”. |
Group Membership Attribute | A LDAP server defines attributes for its accounts. Enter the name of the attribute that the Zyxel Device is to check to determine to which group a user belongs. The value for this attribute is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values. For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”. |
Apply | Click Apply to save the changes. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
Add a RADIUS Server
Use this screen to create a new RADIUS server entry or edit an existing one.
The following table describes the labels in this screen.
label | description |
|---|---|
Name | Enter a descriptive name for identification purposes. Use up to 30 single-byte characters, including 0-9a-zA-Z_-. |
Description | Enter the description of each server, if any. Use up to 61 single-byte characters, including 0-9a-zA-Z'()+,/:=?;!*#@$_%-". |
Server Address | Enter the IPv4 address or FQDN of the RADIUS server. |
Authentication Port | Specify the port number on the RADIUS server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535. |
Backup Server Address | If the RADIUS server has a backup server, enter its address here. |
Backup Authentication Port | Specify the port number on the RADIUS server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535. |
Key | Enter a password (up to 63 single-byte characters, including 0-9a-zA-Z_(){}<>^`+/:!*#@&=$\?.~%,|;-) as the key to be shared between the external authentication server and the Zyxel Device. Your password will be encrypted when you configure this field. The key is not sent over the network. This key must be the same on the external authentication server and the Zyxel Device. |
Change of Authorization | The external RADIUS server can change its authentication policy and send CoA (Change of Authorization) or RADIUS Disconnect messages in order to terminate the subscriber’s service. Select this option to allow the Zyxel Device to disconnect wireless clients based on the information (such as client’s user name and MAC address) specified in CoA or RADIUS Disconnect messages sent by the RADIUS server. |
Server Address | Enter the IPv4 address or Fully-Qualified Domain Name (FQDN) of the RADIUS accounting server. |
Accounting Port | Specify the port number on the RADIUS server to which the Zyxel Device sends accounting information. Enter a number between 1 and 65535. |
Backup Server Address | If the RADIUS server has a backup accounting server, enter its address here. |
Backup Accounting Port | Specify the port number on the RADIUS server to which the Zyxel Device sends accounting information. Enter a number between 1 and 65535. |
Key | Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the Zyxel Device. The key is not sent over the network. This key must be the same on the external authentication server and the Zyxel Device. |
Timeout | Specify the timeout period (between 1 and 300 seconds) before the Zyxel Device disconnects from the RADIUS server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. |
NAS IP Address | Type the IP address of the NAS (Network Access Server). |
NAS Identifier | If the RADIUS server requires the Zyxel Device to provide the Network Access Server identifier attribute with a specific value, enter it here. |
Case-sensitive User Names | Select this if the RADIUS server requires case-sensitive usernames. Make sure usernames are configured correctly on the Zyxel Device. |
Group Membership Attribute | A RADIUS server defines attributes for its accounts. Select the name and number of the attribute that the Zyxel Device is to check to determine to which group a user belongs. If it does not display, select user-defined and specify the attribute’s number. This attribute’s value is called a group identifier; it determines to which group a user belongs. |
Apply | Click Apply to save the changes. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
Two-Factor Authentication Overview
Use two-factor authentication to have double-layer security for local users in the Zyxel Device database to access the Zyxel Device or a secured network behind the Zyxel Device via a VPN tunnel.
The first layer is the Zyxel Device’s login user name / password and the second layer is using the Google Authenticator app.
The user must download and set up the Google Authenticator app first. This section introduces how two-factor authentication works.
Admin Access Via the Web Configurator or SSH
1 A local admin user connects to the Zyxel Device through the Web Configurator or SSH.
2 The Zyxel Device requests the admin user’s user-name and password from the local Zyxel Device database in order to authenticate this admin user.
3 If all credentials are correct, then the Zyxel Device requests the Google Authenticator code.
4 The admin user must enter the authorization code within a specified deadline (Valid Time).
5 If the authorization is correct and received on time, then the admin user can log into Zyxel Device. If the authorization deadline has expired, then the admin user has to log in again. If authorization credentials are incorrect or the code was not received, then the admin user should contact the network administrator.
Two-factor Authentication Pre-configuration
Before configuration, you must:
• Set up the user’s user-name and password in the local Zyxel Device database.
• Enable Two-factor Authentication in User & Authentication > User/Group > User > Edit > Two-factor Authentication for a specific user
• Enable Two-factor Authentication in User & Authentication > User Authentication > Two-factor Authentication for the Zyxel Device
• Enable HTTP, HTTPS and/or SSH in System > Settings > Administration Settings.
• Add HTTP, HTTPS and/or SSH in the Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL service group. This service group defines the default services allowed in the WAN_to_Device security policy.
Two-Factor authentication will fail under the following conditions:
• The user’s credentials are not in the in the local Zyxel Device database.
• You omit any of the pre-configuration items. Make sure to perform all pre-configuration items.
• Authorization times out. Extend the Valid Time in User & Authentication > User Authentication > Two-factor Authentication > VPN Access.
• You are unable to access Google Authenticator (you lost your phone or uninstalled the app). Log in using one of the backup codes.
• You get a Google Authenticator verification error. You must enter the code within the time displayed in Google Authenticator. The time on your cellphone and the time on the Zyxel Device must be the same.
Google Authenticator Settings
The following is a list of specifications and limitations on using Google Authenticator for two-factor authentication.
• Users authenticated by external servers, such as AD (Windows Active Directory), LDAP (Lightweight Directory Access Protocol), or RADIUS are not supported.
• A user must setup Google Authenticator on their mobile device before they can successfully authenticate with the Zyxel Device.
• Verification code length: 6 digits.
• Maximum verification code failed attempts: 3
• Backup code length: 8 digits
User Authentication Two-Factor Authentication
Use this screen to configure double-layer security for local users to access the Zyxel Device or a secured network behind the Zyxel Device via a VPN tunnel.
The following table describes the labels in this screen.
label | description |
|---|---|
Enable | Enable this to require double-layer security to access the Zyxel Device via the Web Configurator or SSH. |
Valid Time | Enter the maximum time (in minutes) within which the user must enter the key received in Google Authenticator. |
Two-factor Authentication for Services | Select which services require Two-Factor Authentication for the admin user. You must select at least one. • Web • SSH |
VPN Access | |
Enable | Enable this to require double-layer security to access a secured network behind the Zyxel Device via a VPN tunnel. |
Valid time | Enter the maximum time (in minutes) within which the user must enter the key received in Google Authenticatorl in order to get authorization for access to a secured network behind the Zyxel Device via a VPN tunnel. |
Two-factor Authentication for Services | Select which types of VPN tunnels require Two-Factor Authentication for the admin user. You must select at least one. You should have configured the VPN tunnel first. • SSL VPN Access • IPSec VPN Access |
Delivery Settings | Use this section to configure how to send the VPN link. |
Authorize Link URL Address | Configure the link that the user will receive. The user must be able to access the link. • http/https: you must enable HTTP or HTTPS in System > Settings • From Interface/User-Defined: select the Zyxel Device WAN interface (ge3/4) or select User-Defined and then enter an IP address or domain name. |
Authorized Port | Configure a port between 1 and 65535 that is not in use by other services. Use this port for two-factor authentication of VPN clients to access the network behind the Zyxel Device. VPN clients do not need to change the port number on their devices, because the link to access the network behind the Zyxel Devices will contain the new port number. You must configure a security policy to allow access to this port from the WAN. |
Apply | Click Apply to save the changes. |
Cancel | Click Cancel to return the screen to its last-saved settings. |