User-Aware Access Control - ZyXEL Communications ZyWALL USG Series Application Notes

Unified security gateway

Hide thumbs Also See for ZyWALL USG Series:

Reference manual (426 pages)

Application note (184 pages)

User manual (150 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

page of 187

/ 187
Contents
Table of Contents
Bookmarks

Table of Contents

2.1.1 What Can Go Wrong

• The USG checks the firewall rules in order and applies the first firewall rule the traffic matches.

If traffic is unexpectedly blocked or allowed, make sure the firewall rule you want to apply to the

traffic comes before any other rules that the traffic would also match.

• Even if you have configured the firewall to allow access for a management service such as HTTP , you

must also enable the service in the service control rules.

• The USG is not applying your firewall rules for certain interfaces. The USG only apply's a zone's rules

to the interfaces that belong to the zone. Make sure you assign the interfaces to the appropriate

zones. When you create an interface, there is no security applied on it until you assign it to a zone.

2.2 User-aware Access Control

You can configure many policies and security settings for specific users or groups of users. Users can

be authenticated locally by the USG or by an external (AD, RADIUS, or LDAP) authentication server .

Here is how to have the USG use a RADIUS server to authenticate users before giving them access.

Set up user accounts in the RADIUS server .

Set up user accounts and groups on the USG (Configuration > Object > User/Group).

Configure an object for the RADIUS server . Click Configuration > Object > AAA Server >

RADIUS and double-click the radius entry.

Then, set up the authentication method, Click Configuration > Object > Auth. Method. Double-

click the default entry . Click the Add icon.

Configure the USG's security settings. The USG can use the authentication method in authenticating

wireless clients, HTTP and HTTPS clients, IPSec gateways (extended authentication), L2TP VPN, and

authentication policy .

2.2.1 What Can Go Wrong

• The USG always authenticates the default admin account locally , regardless of the authentication

method setting. You cannot have the RADIUS server authenticate the USG's default admin

account.

• The authentication attempt will always fail if the USG tries to use the local database to authenticate

an ext-user. An external server such as AD, LDAP or RADIUS must authenticate the ext-user

accounts.

• Attempts to add the admin users to a user group with access users will fail. You cannot put

122

Table of Contents

User-Aware Access Control - ZyXEL Communications ZyWALL USG Series Application Notes

2.2 User-aware Access Control

Related Manuals for ZyXEL Communications ZyWALL USG Series

Related Content for ZyXEL Communications ZyWALL USG Series

Table of Contents