How do i downgrade the firmware of a nebula controlled nwa90/110ax

bizupit
bizupit Posts: 2
First Comment
edited February 7 in Nebula

Hello,

I use in my company some NWA90/110 AX.

With the latest firmware (6.70) update the APs have problems with 802.1ax via Radius to our Windows NPS, which doesn't occur with the stable firmware. (6.30)

Sadly I haven't found any resource on how to downgrade firmware from latest to stable, when the devices are controlled via nebula - is there any way to downgrade the software myself or has it to be done via support?

Thank you very much and best regards,

Andy

All Replies

  • Zyxel_Judy
    Zyxel_Judy Posts: 808  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @bizupit ,

    Hi there,

    To better assist you with the issue you're encountering with 802.1x authentication via RADIUS to your Windows NPS on APs running the latest firmware (version 6.70), could you please provide us with additional information?

    • A more detailed description of the issue you're facing.
    • The MAC addresses of the affected clients.
    • The times at which the clients were connected.
    • Event logs from the period when the issue was observed.

    Additionally, follow this article to enable Zyxel Support.

    Please be aware that the Nebula portal does not offer a method to downgrade firmware.

    Judy

  • bizupit
    bizupit Posts: 2
    First Comment
    edited February 7

    Hi Judy,

    Thank you very much for your response.

    The MAC-address of the access point, with version 6.70 is D8:EC:E5:B9:A8:E6 (B6 IT in the logs below) the MAC-address of my test notebook is dc:8b:28:27:80:fd


    I can reproduce the issue right now, so you can see the connection Times in the log below:

    2024-02-07 09:29:25 B6 IT Wireless LANStation: dc:8b:28:27:80:fd left on Channel: 44, SSID: bizupgroup, 5GHz, Signal: -50dBm, Download/Upload: 0 B/0 B, reason 1, Interface: wlan-2-1
    2024-02-07 09:29:23 B6 IT Wireless LANStation: dc:8b:28:27:80:fd blocked by 802.1X auth failed on Channel: 44, SSID: bizupgroup, 5GHz, Signal: 0dBm, Download/Upload: 0/0, reason 23, Interface: wlan-2-1
    2024-02-07 09:29:23 B6 IT Wireless LANStation: dc:8b:28:27:80:fd blocked by Hostapd on Channel: 44, SSID: bizupgroup, 5GHz, Signal: -50dBm, Download/Upload: 0 B/0 B, reason 3, Interface: wlan-2-1
    2024-02-07 09:29:23 B6 IT Wireless LANStation: dc:8b:28:27:80:fd deauthenticated by 802.1X auth failed
    2024-02-07 09:29:23 B6 IT User User host/BIZUP1879.tcl.local (MAC: dc:8b:28:27:80:fd) 802.1X auth failed on interface wlan-2-1.(Server: 10.71.0.33:1812) [count=2]
    2024-02-07 09:29:12 B6 IT Wireless LANStation: dc:8b:28:27:80:fd blocked by 802.1X auth failed on Channel: 44, SSID: bizupgroup, 5GHz, Signal: 0dBm, Download/Upload: 0/0, reason 23, Interface: wlan-2-1
    2024-02-07 09:29:12 B6 IT Wireless LANStation: dc:8b:28:27:80:fd blocked by Hostapd on Channel: 44, SSID: bizupgroup, 5GHz, Signal: -50dBm, Download/Upload: 0 B/0 B, reason 3, Interface: wlan-2-1
    2024-02-07 09:29:12 B6 IT Wireless LANStation: dc:8b:28:27:80:fd deauthenticated by 802.1X auth failed
    2024-02-07 09:29:09 B6 IT Wireless LANStation: dc:8b:28:27:80:fd left on Channel: 44, SSID: bizupgroup, 5GHz, Signal: -49dBm, Download/Upload: 0 B/0 B, reason 1, Interface: wlan-2-1
    2024-02-07 09:29:09 B6 IT User User host/BIZUP1879.tcl.local (MAC: dc:8b:28:27:80:fd) 802.1X auth failed on interface wlan-2-1.(Server: 10.71.0.33:1812) [count=2]
    2024-02-07 09:27:01 B6 IT Wireless LANStation: 90:65:84:eb:58:75 blocked by 802.1X auth failed on Channel: 11, SSID: bizupgroup, 2.4GHz, Signal: 0dBm, Download/Upload: 0/0, reason 23, Interface: wlan-1-1
    2024-02-07 09:27:01 B6 IT Wireless LANStation: 90:65:84:eb:58:75 blocked by Hostapd on Channel: 11, SSID: bizupgroup, 2.4GHz, Signal: -87dBm, Download/Upload: 0 B/0 B, reason 3, Interface: wlan-1-1
    2024-02-07 09:27:01 B6 IT Wireless LANStation: 90:65:84:eb:58:75 deauthenticated by 802.1X auth failed
    2024-02-07 09:27:01 B6 IT UserUser host/BIZUP2652.tcl.local (MAC: 90:65:84:eb:58:75) 802.1X auth failed on interface wlan-1-1.(Server: 10.71.0.33:1812)

    Sadly on the radius server itself i only get an inexpressive error:
    An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

    When I change the AccessPoint to one running 6.30, which didn't get the update - e.g. D8:EC:E5:B9:8A:BC it works:
    (i also changed the dhcp reservation - so ip-address and policy at the radius server was the same as with the other access point)

    2024-02-07 10:00:19 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd has authorized on Channel: 48, SSID: bizupgroup, 5GHz. Interface:wlan-2-1
    2024-02-07 10:00:19 D8:EC:E5:B9:8A:BC User User host/BIZUP1879.tcl.local from station: dc:8b:28:27:80:fd (10.71.107.87) has logged in NWA110AX by 802.1x
    2024-02-07 10:00:17 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd has associated on Channel: 48, SSID: bizupgroup, 5GHz, Signal: -52dBm. Interface:wlan-2-1

    Now I also updated the D8:EC:E5:B9:8A:BC to latest - and the 802.1X auth fails also on this access point now:

    2024-02-07 10:14:46 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd blocked by 802.1X auth failed on Channel: 40, SSID: bizupgroup, 5GHz, Signal: 0dBm, Download/Upload: 0/0, reason 23, Interface: wlan-2-1
    2024-02-07 10:14:46 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd blocked by Hostapd on Channel: 40, SSID: bizupgroup, 5GHz, Signal: -50dBm, Download/Upload: 0 B/0 B, reason 3, Interface: wlan-2-1
    2024-02-07 10:14:46 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd deauthenticated by 802.1X auth failed
    2024-02-07 10:14:35 D8:EC:E5:B9:8A:BC Wireless LANStation: 86:e2:05:64:0a:7e disconnected by STA Leave(L2UPFrame) on Channel: 11, SSID: biz-up-group-gast, 2.4GHz, Signal: -53dBm, Download/Upload: 0 B/0 B, reason 3, Interface: wlan-1-3
    2024-02-07 10:14:35 D8:EC:E5:B9:8A:BC Wireless LANStation: 86:e2:05:64:0a:7e connected on Channel: 40, SSID: biz-up-group-gast, 5GHz, Signal: -56dBm. Interface:wlan-2-3
    2024-02-07 10:14:35 D8:EC:E5:B9:8A:BC Wireless LANStation: 86:e2:05:64:0a:7e deauthenticated by key handshake fail
    2024-02-07 10:14:20 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd deauthenticated by 802.1X auth failed
    2024-02-07 10:14:02 D8:EC:E5:B9:8A:BC SystemThe AP has warm started successfully.
    2024-02-07 10:14:02 D8:EC:E5:B9:8A:BC SystemNTP update has succeeded. Current time is Wed Feb 07 09:14:02 GMT +00:00 2024. Last time is Wed Feb 07 09:14:01 GMT +00:00 2024.
    2024-02-07 10:14:00 D8:EC:E5:B9:8A:BC Wireless LANStation: 06:19:e4:e3:a4:7e connected on Channel: 48, SSID: biz-up-group-gast, 5GHz, Signal: -60dBm. Interface:wlan-2-3
    2024-02-07 10:13:59 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd blocked by 802.1X auth failed on Channel: 48, SSID: bizupgroup, 5GHz, Signal: 0dBm, Download/Upload: 0/0, reason 23, Interface: wlan-2-1
    2024-02-07 10:13:59 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd blocked by Hostapd on Channel: 48, SSID: bizupgroup, 5GHz, Signal: -51dBm, Download/Upload: 0 B/0 B, reason 3, Interface: wlan-2-1
    2024-02-07 10:13:59 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd deauthenticated by 802.1X auth failed

    I have enabled the Zyxel Support according to your knowledge base article.

    P.S. If we need more test subjects, I am currently switching our old WiFi Solution to Zyxel - so i have 15 fresh access points on stock :)

    Best regards,
    Andy

  • Zyxel_Judy
    Zyxel_Judy Posts: 808  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @bizupit ,

    Thank you for providing the detailed information. We are currently reviewing the details you've shared and will update you on any new developments.

    We appreciate your cooperation and patience!

    Judy

  • Zyxel_Judy
    Zyxel_Judy Posts: 808  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 27

    Hi @bizupit ,

    As our private discussion, the logs indicate that the client with MAC address dc:8b:28:27:80:fd has encountered an 802.1x authentication failure when attempting to connect to the AP D8:EC:E5:B9:8A:BC, specifically with the RADIUS server at 10.71.0.33:1812.


    Please verify if the AP D8:EC:E5:B9:8A:BC has been added to the whitelist in your 10.71.0.33 RADIUS server's settings? This step is crucial for successful authentication.

    You can also verify if the user host/BIZUP1879.tcl.local is included in the list of users on the RADIUS server at 10.71.0.33.


    Judy

Nebula Tips & Tricks