Chapter 6 Maintenance
ZyWALL USG 20-2000 User’s Guide
128
6.2 How to Use a RADIUS Server to Authenticate User
Accounts based on Groups
The previous example showed how to have a RADIUS server authenticate individual user accounts.
If the RADIUS server has different user groups distinguished by the value of a specific attribute,
you can make a couple of slight changes in the configuration to have the RADIUS server
authenticate groups of user accounts defined in the RADIUS server.
1
Click
Configuration > Object > AAA Server > RADIUS
. Double-click the
radius
entry. Besides
configuring the RADIUS server’s address, authentication port, and key; set the
Group
Membership Attribute
field to the attribute that the ZyWALL is to check to determine to which
group a user belongs. This example uses
Class
. This attribute’s value is called a group identifier; it
determines to which group a user belongs. In this example the values are Finance, Engineer, Sales,
and Boss.
2
Now you add ext-group-user user objects to identify groups based on the group identifier values.
Set up one user account for each group of user accounts in the RADIUS server. Click
Configuration
> Object > User/Group > User
. Click the
Add
icon.
Enter a user name and set the
User Type
to
ext-group-user
. In the
Group Identifier
field, enter
Finance and set the
Associated AAA Server Object
to
radius
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
