ZyXEL NXC

Owned by Adrián Macarro (Unlicensed)
Last updated: Oct 18, 2021 by Santiago Nanclares (Unlicensed)
6 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of NXC2500 de ZyXEL equipment for integration with Octopus Platform

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 WLAN Settings

First of all, to configure the external captive portal in the NXC2500 controller, it is necessary to add a new SSID or edit an existing one. Go to Configuration > Object > AP Profile and open the SSID tab.

  • Profile Name: WiFi_GUEST

  • SSID: SSID name that will be visible to the wireless users.

  • VLAN ID: set the vlan associated to the SSID.

 

2.2 Radius Server

Then, it is required to add the Radius Server that will receive the user's authentication requests. Go to Configuration > Object > AAA Server and open the RADIUS tab. Once the RADIUS tab is displayed, click Add to configure a new Radius Server with the following parameters:

  • Name: RADIUS

  • Authentication Server Settings

    • Server Address: <IP_Radius_1>

    • Authentication Port: 1812

    • Backup Server Address: <IP_Radius_2>

    • Backup Authentication Port: 1812

    • Key: <Secret>

 

  • Accounting Server Settings

    • Server Address: <IP_Radius_1>

    • Accounting Port: 1813

    • Backup Server Address: <IP_Radius_2>

    • Backup Authentication Port: 1813

    • Key: <Secret>

    • Accounting Interim Update: check this box.

    • Interim Interval: 10

  • General Server Settings:

    • Timeout: 5

    • NAS Identifier: ZYXEL

 

After the Radius Server is configured, go to the section Configuration > Object > Auth. Method to add a new Authentication Method which will be linked to the Radius Server. Click Add and configure the following parameters:

  • Name: WIFI

  • Method List: add the Radius Server that has been already configured, group RADIUS

2.3 Captive Portal

The next step is to configure the external captive portal. Go to Configuration > Captive Portal section and open the Captive Portal tab. Once the Captive Portal window is displayed, set up the following parameters:

  • Enable Captive Portal: check this box to enable the captive portal.

  • External Web Portal: enable this option.

    • Login URL: https://<domain_captive_portal>/login/hotspot/zyxel

  • Authenticated Method: select the authenticated method created in the chapter before - WIFI

After having accomplished these changes, please click Apply to save the configuration.

2.4 Walled Garden

It is not possible to add domain names to the walled garden in the NXC2500 controller. So this configuration has to be done adding IP addresses. Go to Configuration > Object > Address and click Add to add every required IP address.

To consult the IP addresses to be included go to the following link.

2.5 Authentication Policy

Once the IP addresses to which the user will have free access have been added, it is necessary to create an Authentication Policy that associates these IPs to a specific rule. To do so, go to Configuration > Captive Portal and access the Redirect on AP tab, then add a new Authentication Policy Rule for each of the IP addresses used previously with the following configuration:General Settings

  • General settings

    • Enable Policy: Check this option.

    • Profile Name: Add every Policy rule created.

  • Accounting Server Settings

    • SSID: any

    • Source Address: any

    • Destination Address: WIFI

    • Schedule: none

    • Authentication: unnecessary

Once all the Policy Rules have been added, it is necessary to create a rule that block all other traffic. So add a new rule with the following configuration:

  • General Settings

    • Enable Policy: check this option.

    • Profile Name: BLOCK

  • Accounting Server Settings

    • SSID: any

    • Source Address: any

    • Destination Address: any

    • Schedule: none

    • Authentication: force

To finish the walled garden configuration, it is necessary to create an Authentication Policy Group that group all the policy rules added before. So perform the following configuration:

  • General Settings

    • Profile Name: WIFI

  • Add each rule created before. In this case it is very important to put the BLOCK rule the last one of the list.

After having done all these changes, click on the Apply button to save this configuration. 

2.6 Access Point

Finally, it is necessary to add the configured Profiles to the AP Group that the access points belong to. Go to Configuraion > Wireless > AP Management and open the AP Group tab. Once the configuration window is displayed, add a new AP Group or edit an existing one and perform the configuration as shown below:

  • General Settings

    • Group Name: set the AP Group Name.

  • Radio 1 Setting:

    • Select the SSID Profile created in the chapter before - WIFI_GUEST

  • Radio 2 Setting:

    • Select the SSID Profile created previously - WIFI_GUEST

 

  • Portal Redirect on AP

    • Policy Group: Select the Policy Group added previously - WIFI

    • Skip authentication to provide contingency access while controller is unreachable: disable this option.

 

2.7 Authorized MAC Addresses

For user validation to work correctly, it is necessary to identify the NAS that will be able to make authentication requests to the Radius Server. In this case you must add all the MAC addresses of the Access Points that will radiate the configured SSID. To obtain these MAC addresses easily go to Monitor > Wireless > AP Information and look for the column where the MAC of each of the APs appears.

 

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Wifiareas>General information

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1 Configuration of “Access Profiles” funtionality in the Octopus Platform

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Zyxel. Although the most common and proprietary Zyxel radius dictionaries are available, the following is a list of some of the most interesting ones:

Atributo

Descripción

Format

Atributo

Descripción

Format

Idle-Timeout

Maximum idle time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above:

For more information on how to create an Access Profile in Octopus Platform go to Access profiles