ZYXEL Firewall (USG y VPN)

Owned by Fernando Rudilla García (Unlicensed)
Last updated: Oct 18, 2021 by Santiago Nanclares (Unlicensed)
7 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Zyxel USG and VPN (from model 100) equipment for integration with Octopus Platform

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Configuración módulo Guest

2.1 Radius Server

It is neccessary to include the radius servers of the Wifi Platform, to do that access to Configuration > Object > AAA server and access to the tab RADIUS. Once inside click on Add to add a new Radius server and configured the following parameters:

  • Name: Radius_Guest

  • Authentication Server Settings

    • Server Address: <IP_Radius_1>

    • Authentication Port: 1812

    • Backup Server Address: <IP_Radius_2>

    • Backup Authentication Port: 1812

    • Key: <Secret>

  • Accounting Server Settings

    • Server Address: <IP_Radius_1>

    • Accounting Port: 1813

    • Backup Server Address: <IP_Radius_2>

    • Backup Accounting Port: 1813

    • Key: <Secret>

    • Enable Accounting Interim update: Enable this option

    • Interim Interval: 10

  • General Server Settings

    • Timeout: 5

    • NAS Identifier: ZYXEL

Once the Radius sever has been added go to Configuration > Object > Auth. Method to add a new authentication method associated to the Radius server that was previously added.

  • Name: AuthMethod_Guest

  • Method List: Add the radius server previously created, Radius_Guest

2.2 Walled Garden

With Hotspot license

To add the domains that the user will have free access before be validated on the captive portal go to Configuration > Hotspot > Walled Garden and in the tab General enable the option Enable Walled Garden.

After enabling this option in the Domain/IP Base tab you must add the domains, To do so, click on Add and configure each of the entries.

Without Hotspot license

To add the domains that the user will have free access before be validated on the captive portal go to Configuration > Object > Address/Geo IP and in the tab Address create an entry (Add) for each domain that we wanto to add with an identifying name.

  • Name: Identifying name

  • Address Type: FQDN

  • FQDN: Domain or sub-domain

Once the domain entries have been added in Address, they must be grouped by creating a group in the Address Group tab. To do this click on the Add button.

  • Name: Nombre Identifying name of the list, WalledGarden_Group, for example.

  • Address Type: FQDN

  • Member List: Select all the elements that interest us from the list on the left and move them to the right column with the arrow indicating that direction.

 

 

 

 

Click OK when all domains have been added to the group.

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

Once you have entered all the necessary domains, click on Apply.

2.3 Captive Portal

Next configure the external captive portal, go to Configuration > Web Authentication and access to the Authentication Type tab. Once inside click on Add and configure the following parameters:

  • Type: Web Portal

  • Profile Name: Guest_Portal

  • Marcar la opción: External Web Portal

    • Login URL: http://<captive_portal_domain>/login/hotspot/zywall

    • Welcome URL: To apply the landing configuration configured in the platform, enter the redirection URL found in the WLAN section of the Octopus Platform.

      • URL Format:<protocol://domain-portal>/login/hotspot/landing/wifiarea /WIFIAREA_ID/WLAN_ID

      • Substitute:

        • Protocol: http or https. Must be the same protocol that is used in Login URL

        • domain-portal: The same domain_captive_portal as used in Login URL

Once added click on Apply to save the changes and go to the General window. Then configure the following parameters:

  • Enable Web Authentication: check this box to enable the captive portal.

Finally within Web Authentication Policy Summary click on Add to add a new policy with the following configuration:

  • Enable Policy: enable this option

  • Incoming Interface: Select the interface thath we want to apply to the captive portal.

  • Source Address: any

  • Destination Address: any

  • Authentication: required

  • Single Sign-on: disable this option

  • Force User Authentication: enable this option 

  • Authentication Type: Guest_Portal

Then, also from Web Authentication Policy Summary, add an entry for the walled garden:

  • Enable Policy: enable this option

  • Incoming Interface: Select the interface thath we want to apply to the captive portal.

  • Source Address: any

  • Destination Address: WalledGarden_Group, or previously created Address Group name.

  • Schedule: none

  • Authentication: unneccesary

Click on Apply to save the configuration. Then enter the submenu: Configuration > System > WWW

  • Enable the following options HTTP y HTTPS

  • Disable this option "Redirect HTTP to HTTPS"

  • In the authentication section, select the following onfiguration at the bottom: Client Authentication Method: AuthMethod

2.4 Listado MACs Autorizadas

In order to allow the users to authenticate themselves in the captive portal correctly it is neccessary to identify the NAS that will be able to make authentication requests to the Radius server. In this case the MAC address of the ZyWALL 110 must be added. To find this MAC address go to the Dashboard and in the widget Device information the MAC address of the equipment can be obtained.

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link locations

2.5 Additional settings

Idle Timeout

To finish all the configuration it is neccessary to activate the Idle-Timeout so that users are forgotten about the network after a period of inactivity. to do that go to Configuration > Object > User/Group and access to the setting tab.

Within the Miscellaneous Settings section check the Enable user idle detection checkbox and set 15 minutes as User idle timeout.

Apply configuration to WLAN

The first step is to associate the interface to the SSID where you want to apply the configuration. To do this, go to Configuration > Object > AP Profile and select the SSID tab. Once inside, click on Add to add a new SSID profile and configure the following parameters:

  • VLAN ID: Select the vlan associated to the captive portal.

 

To display the configuration in the Access Points, Go to Configuration > Wireless >AP Management and access to the AP Group tab. Select the group where we want to add the guest SSID:

  • Radio 1 Setting: Select the previously created SSID Profile from the list.

  • Radio 2 Setting: Select the previously created SSID Profile from the list.

 


3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1 Configuration of “Access Profiles” funtionality in the Octopus Platform

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Omada. Although the most common and proprietary Omada radius dictionaries are available, the following is a list of some of the most interesting ones:

Attribute

Description

Format

Attribute

Description

Format

Idle-Timeout

Maximum idle time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Filter-ID

Returns a Role or connection profile previously created in the Zyxel.

The name of the Group Identifier of the Role must be the same in the Zyxel as in the access profile of the platform.

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Filter-ID Configuration

Go to Object > AAA Server > Radius and select User Login Settings > Group Membership Attibute Filter-ID. Then go to Object > User/Group > User and create a new entry with the settings:

  • User-Name: The one we consider to identify it.

  • User-Type: ext-group-user.

  • Group Identifier: Very important data because it will be the one to be configured in the radius and the one to be returned in the Filter-ID attribute.

  • Associated AAA Server Object: radius.

Example of an Access Profile configuration with the attributes explained above:

 

For more information on how to create an Access Profile in Octopus Platform go to Access profiles