ZLD 4.65 breaks SSLVPN Two Factor Authentication

Options

Hello there,

I've installed Firmware Update 4.65 on a Zywall 110.  The update changed the 2FA authorization link port to 8008 without adding a security policy, which essentially locked me out since I could not complete the Two Factor Authentication anymore.  Fair enough, someone on-site added a security policy to allow port 8008. 

However now the Zywall uses the default self-signed TLS-certificate for the 2FA page and not our proper third-party certificate.   Under System -> WWW -> Server Certificate we already have defined our third-party TLS certificate, and this works fine for SSLVPN itself, just the authorization link seems to use the self-signed certificate.  This has the effect that the users get a certificate warning when opening the 2FA link.

I did not find any option to choose another TLS certificate for the authorization link??  Any ideas?

Accepted Solution

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2021 Answer ✓
    Options

    Hi @Sconsulting  

    The Security Check Wizard will add 2FA server port into default from WAN_to_ZyWALL rule if 2FA service was enabled before.


    You may have a check if there is any rule effects it. 

    According to certificate issue in 2FA authentication page, we have address the issue and we will fix the symptom in next FCS firmware.

    You can follow this steps as workaround: Apply Authorize Link URL to HTTP and change to HTTPS again, then certificate will replace to correct one.


All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2021 Answer ✓
    Options

    Hi @Sconsulting  

    The Security Check Wizard will add 2FA server port into default from WAN_to_ZyWALL rule if 2FA service was enabled before.


    You may have a check if there is any rule effects it. 

    According to certificate issue in 2FA authentication page, we have address the issue and we will fix the symptom in next FCS firmware.

    You can follow this steps as workaround: Apply Authorize Link URL to HTTP and change to HTTPS again, then certificate will replace to correct one.


  • Sconsulting
    Options
    Hi Stanley,

    Thanks for the workaround, that solved the issue concerning the TLS-Certificate.

    Regarding the port - well, if you upgrade remotely from a previous firmware you will lock yourself out since the firmware changes the port without adding a security policy.  Then you will have no option to run the security wizard, since you can't authenticate anymore.  In my opinion there should be a promiment remark in the release notes, since the security policy for the authorize link needs to be added BEFORE the upgrade in case it is done remotely.

    Thank you!

    Kind regards,
    Romeo
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Sconsulting

    If enabled 2FA function in old version, after upgrading firmware 2FA default port 8008 will add into default rule automatically. 
    Is any rule effects 2FA traffic? you may send your configuration which before upgrading to 4.65 version for further check.

Security Highlight