ZLD 4.65 breaks SSLVPN Two Factor Authentication
Hello there,
I've installed Firmware Update 4.65 on a Zywall
110. The update changed the 2FA authorization link port to 8008 without
adding a security policy, which essentially locked me out since I could not
complete the Two Factor Authentication anymore. Fair enough, someone on-site added a security policy to allow
port 8008.
However now the Zywall uses the default self-signed
TLS-certificate for the 2FA page and not our proper third-party
certificate. Under System -> WWW -> Server Certificate we
already have defined our third-party TLS certificate, and this works fine for
SSLVPN itself, just the authorization link seems to use the self-signed
certificate. This has the effect that the users get a certificate warning
when opening the 2FA link.
I did not find any option to choose another TLS
certificate for the authorization link?? Any ideas?
Accepted Solution
-
Hi @Sconsulting
The Security Check Wizard will add 2FA server port into default from WAN_to_ZyWALL rule if 2FA service was enabled before.
You may have a check if there is any rule effects it.
According to certificate issue in 2FA authentication page, we have address the issue and we will fix the symptom in next FCS firmware.
You can follow this steps as workaround: Apply Authorize Link URL to HTTP and change to HTTPS again, then certificate will replace to correct one.
0
Zyxel Employee
All Replies
-
Hi @Sconsulting
The Security Check Wizard will add 2FA server port into default from WAN_to_ZyWALL rule if 2FA service was enabled before.
You may have a check if there is any rule effects it.
According to certificate issue in 2FA authentication page, we have address the issue and we will fix the symptom in next FCS firmware.
You can follow this steps as workaround: Apply Authorize Link URL to HTTP and change to HTTPS again, then certificate will replace to correct one.
0 -
Hi Stanley,
Thanks for the workaround, that solved the issue concerning the TLS-Certificate.
Regarding the port - well, if you upgrade remotely from a previous firmware you will lock yourself out since the firmware changes the port without adding a security policy. Then you will have no option to run the security wizard, since you can't authenticate anymore. In my opinion there should be a promiment remark in the release notes, since the security policy for the authorize link needs to be added BEFORE the upgrade in case it is done remotely.
Thank you!
Kind regards,
Romeo0 -
Hi @Sconsulting
If enabled 2FA function in old version, after upgrading firmware 2FA default port 8008 will add into default rule automatically.
Is any rule effects 2FA traffic? you may send your configuration which before upgrading to 4.65 version for further check.0
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 79 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 909 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
