Authentication using RADIUS (802.1x)

Note

This feature required Enterprise Edition

Genian ZTNA includes a built-in RADIUS server to support 802.1x port-based access control. In general, 802.1x is widely used to provide improved user authentication for devices that access wireless networks. In a wired network, a user authentication function can be provided for a device connected to the network through a switch supporting 802.1x.

First, you need to enable the RADIUS server. See, Configuring RADIUS Enforcement

For RADIUS authentication against external databases, authentication integrations must be configured. See: Integrating User Directories

The RADIUS accounting must be activated on the client or in Genian ZTNA in order for the node information to be updated. See Single Sign-On

Enable AD Account for RADIUS

  1. Go to Preferences in the top panel
  2. Go to Service > RADIUS Server in the left Preferences panel
  3. Find RADIUS Server: AD Account section and select On in drop-down
  4. Enter the following:
    • Domain Name (e.g. genians.com)
    • Username (Default is Administrator. Account needs to have Admin Privileges)
    • Password and retype
  5. Click Update

Enable URL Account for RADIUS

  1. Go to Preferences in the top panel
  2. Go to Service > RADIUS Server in the left Preferences panel
  3. Find RADIUS Server: URL Account section and select On in drop-down
  4. Enter the following:
    • URL (e.g. http://.com)
    • Methods (GET, POST)
    • Regex for Authentication (This regular expression will check for successful login)
  5. Click Update

Enable Email Authentication for RADIUS

  1. Go to Preferences in the top panel
  2. Go to Service > RADIUS Server in the left Preferences panel
  3. Find RADIUS Server: Email Authentication section and select On in
  4. Click Update

MAC Authentication Bypass

For endpoints not supporting 802.1x such as printers or IP phones, it may be necessary to authenticate using MAC address.

The MAC authentication feature is a mechanism by which incoming traffic originating from a specific MAC address is forwarded only if the source MAC address is successfully authenticated by a RADIUS server. The MAC address itself is used as the username and password for RADIUS authentication. The user does not need to provide a specific username and password to gain access to the network.

  • If RADIUS authentication for the MAC address is successful, traffic from the MAC address is forwarded in hardware. - If the RADIUS server cannot validate the user’s MAC address, then it is considered an authentication failure, and a specified authentication-failure action can be taken.

Enabling MAC Authentication

See: Configuring MAC Authentication (MAB)