802.1x Cloud Auth Security

I have not seen any updates to the KB article demonstrating device authentication via WPA2/3 Enterprise with LEAP as phase 1 and NONE as phase 2. This is insecure and goes against current best practice. Has there been an update to this config method? If so can someone please direct me to it? If not Zyxel should update Nebula Cloud authentication as soon as possible. Some devices already refuse to retain network settings due to the poor security, and more and more newer devices will show similar behavior as time goes on.

All Replies

  • Zyxel_Jay
    Zyxel_Jay Posts: 227  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch 5 Answers

    Now we will use the EAP-PEAP as phase 1 from devices to AP.
    And AP will transmit data via TLS as phase 2 from AP to NCAS.
    You don’t worry about the security with transmit data
    About “Some devices already refuse to retain network settings due to the poor security”, if you have any actual cases, please share us. Let us check what issue does it have?

    Thanks
    Jay 
  • Hi Jay,

    Android devices running GrapheneOS will not retain network settings because phase 2 option 'none' was removed due to weak security.
  • Zyxel_Jay
    Zyxel_Jay Posts: 227  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch 5 Answers
    Hi @ cglavan

    Here is the screenshot that we use Wireshark to capture the AP to NCAS packet.
     
    You can see that the packets are encrypted by TLSv 1.2. You can’t see the information without de-encapsulation.

    Because we don’t have a “GrapheneOS” device, we can’t test it for you. But all of our products will follow the security Wi-Fi policy with Android and IOS. Please ignore that message, thank you.

    Jay

  • cglavan
    cglavan Posts: 4
    First Comment
    edited December 2022
    Hi Jay,

    This is a change that came in Android 11 due to the inherent MITM risks in not requesting and/or validating the server-side certificate on the client. Evil twin and other rogue AP attacks are commonplace and becoming ever more advanced. For enterprise-level security, not requiring the certificate check-- or worse, auto-accepting it-- isn't really acceptable as the only cloud-based client configuration option...
  • Zyxel_Jay
    Zyxel_Jay Posts: 227  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch 5 Answers

    First, AP gives the request to the cloud server by encryption transmission(TLSv1.2). And then the cloud server will exchange the key and give the AP the certification. AP will check this certification is trusted. They will send the data after these steps. 
    The middlemen can't connect to the AP and Server by forwarding the data, because they can't de-encryption the packet. 


    Jay
  • Okay. Is there a certificate that can be installed on end devices then so that they trust the connection? The issue is that if there's no configurable second phase and thus no way to store the network on the end device with a 'no certificate' option, then the end device has to re-verify the trust every single time it connects.

Nebula Tips & Tricks