How do i downgrade the firmware of a nebula controlled nwa90/110ax

bizupit

Hello,

I use in my company some NWA90/110 AX.

With the latest firmware (6.70) update the APs have problems with 802.1ax via Radius to our Windows NPS, which doesn't occur with the stable firmware. (6.30)

Sadly I haven't found any resource on how to downgrade firmware from latest to stable, when the devices are controlled via nebula - is there any way to downgrade the software myself or has it to be done via support?

Thank you very much and best regards,

Andy

Zyxel_Judy

Hi @bizupit ,

Based on our private conversation, it appears that the "NPS Extension For Azure MFA" combined with the RADIUS modifications in firmware version 6.55 or newer is causing the 802.1x authentication failure. The issue was resolved upon uninstalling the "NPS Extension For Azure MFA".

Zyxel_Judy

Hi @bizupit ,

Hi there,

To better assist you with the issue you're encountering with 802.1x authentication via RADIUS to your Windows NPS on APs running the latest firmware (version 6.70), could you please provide us with additional information?

• A more detailed description of the issue you're facing.
• The MAC addresses of the affected clients.
• The times at which the clients were connected.
• Event logs from the period when the issue was observed.

Additionally, follow this article to enable Zyxel Support.

Please be aware that the Nebula portal does not offer a method to downgrade firmware.

bizupit

Hi Judy,

Thank you very much for your response.

The MAC-address of the access point, with version 6.70 is D8:EC:E5:B9:A8:E6 (B6 IT in the logs below) the MAC-address of my test notebook is dc:8b:28:27:80:fd

I can reproduce the issue right now, so you can see the connection Times in the log below:

2024-02-07 09:29:25 B6 IT Wireless LANStation: dc:8b:28:27:80:fd left on Channel: 44, SSID: bizupgroup, 5GHz, Signal: -50dBm, Download/Upload: 0 B/0 B, reason 1, Interface: wlan-2-1
2024-02-07 09:29:23 B6 IT Wireless LANStation: dc:8b:28:27:80:fd blocked by 802.1X auth failed on Channel: 44, SSID: bizupgroup, 5GHz, Signal: 0dBm, Download/Upload: 0/0, reason 23, Interface: wlan-2-1
2024-02-07 09:29:23 B6 IT Wireless LANStation: dc:8b:28:27:80:fd blocked by Hostapd on Channel: 44, SSID: bizupgroup, 5GHz, Signal: -50dBm, Download/Upload: 0 B/0 B, reason 3, Interface: wlan-2-1
2024-02-07 09:29:23 B6 IT Wireless LANStation: dc:8b:28:27:80:fd deauthenticated by 802.1X auth failed
2024-02-07 09:29:23 B6 IT User User host/BIZUP1879.tcl.local (MAC: dc:8b:28:27:80:fd) 802.1X auth failed on interface wlan-2-1.(Server: 10.71.0.33:1812) [count=2]
2024-02-07 09:29:12 B6 IT Wireless LANStation: dc:8b:28:27:80:fd blocked by 802.1X auth failed on Channel: 44, SSID: bizupgroup, 5GHz, Signal: 0dBm, Download/Upload: 0/0, reason 23, Interface: wlan-2-1
2024-02-07 09:29:12 B6 IT Wireless LANStation: dc:8b:28:27:80:fd blocked by Hostapd on Channel: 44, SSID: bizupgroup, 5GHz, Signal: -50dBm, Download/Upload: 0 B/0 B, reason 3, Interface: wlan-2-1
2024-02-07 09:29:12 B6 IT Wireless LANStation: dc:8b:28:27:80:fd deauthenticated by 802.1X auth failed
2024-02-07 09:29:09 B6 IT Wireless LANStation: dc:8b:28:27:80:fd left on Channel: 44, SSID: bizupgroup, 5GHz, Signal: -49dBm, Download/Upload: 0 B/0 B, reason 1, Interface: wlan-2-1
2024-02-07 09:29:09 B6 IT User User host/BIZUP1879.tcl.local (MAC: dc:8b:28:27:80:fd) 802.1X auth failed on interface wlan-2-1.(Server: 10.71.0.33:1812) [count=2]
2024-02-07 09:27:01 B6 IT Wireless LANStation: 90:65:84:eb:58:75 blocked by 802.1X auth failed on Channel: 11, SSID: bizupgroup, 2.4GHz, Signal: 0dBm, Download/Upload: 0/0, reason 23, Interface: wlan-1-1
2024-02-07 09:27:01 B6 IT Wireless LANStation: 90:65:84:eb:58:75 blocked by Hostapd on Channel: 11, SSID: bizupgroup, 2.4GHz, Signal: -87dBm, Download/Upload: 0 B/0 B, reason 3, Interface: wlan-1-1
2024-02-07 09:27:01 B6 IT Wireless LANStation: 90:65:84:eb:58:75 deauthenticated by 802.1X auth failed
2024-02-07 09:27:01 B6 IT UserUser host/BIZUP2652.tcl.local (MAC: 90:65:84:eb:58:75) 802.1X auth failed on interface wlan-1-1.(Server: 10.71.0.33:1812)

Sadly on the radius server itself i only get an inexpressive error:
An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

When I change the AccessPoint to one running 6.30, which didn't get the update - e.g. D8:EC:E5:B9:8A:BC it works:
(i also changed the dhcp reservation - so ip-address and policy at the radius server was the same as with the other access point)

2024-02-07 10:00:19 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd has authorized on Channel: 48, SSID: bizupgroup, 5GHz. Interface:wlan-2-1
2024-02-07 10:00:19 D8:EC:E5:B9:8A:BC User User host/BIZUP1879.tcl.local from station: dc:8b:28:27:80:fd (10.71.107.87) has logged in NWA110AX by 802.1x
2024-02-07 10:00:17 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd has associated on Channel: 48, SSID: bizupgroup, 5GHz, Signal: -52dBm. Interface:wlan-2-1

Now I also updated the D8:EC:E5:B9:8A:BC to latest - and the 802.1X auth fails also on this access point now:

2024-02-07 10:14:46 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd blocked by 802.1X auth failed on Channel: 40, SSID: bizupgroup, 5GHz, Signal: 0dBm, Download/Upload: 0/0, reason 23, Interface: wlan-2-1
2024-02-07 10:14:46 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd blocked by Hostapd on Channel: 40, SSID: bizupgroup, 5GHz, Signal: -50dBm, Download/Upload: 0 B/0 B, reason 3, Interface: wlan-2-1
2024-02-07 10:14:46 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd deauthenticated by 802.1X auth failed
2024-02-07 10:14:35 D8:EC:E5:B9:8A:BC Wireless LANStation: 86:e2:05:64:0a:7e disconnected by STA Leave(L2UPFrame) on Channel: 11, SSID: biz-up-group-gast, 2.4GHz, Signal: -53dBm, Download/Upload: 0 B/0 B, reason 3, Interface: wlan-1-3
2024-02-07 10:14:35 D8:EC:E5:B9:8A:BC Wireless LANStation: 86:e2:05:64:0a:7e connected on Channel: 40, SSID: biz-up-group-gast, 5GHz, Signal: -56dBm. Interface:wlan-2-3
2024-02-07 10:14:35 D8:EC:E5:B9:8A:BC Wireless LANStation: 86:e2:05:64:0a:7e deauthenticated by key handshake fail
2024-02-07 10:14:20 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd deauthenticated by 802.1X auth failed
2024-02-07 10:14:02 D8:EC:E5:B9:8A:BC SystemThe AP has warm started successfully.
2024-02-07 10:14:02 D8:EC:E5:B9:8A:BC SystemNTP update has succeeded. Current time is Wed Feb 07 09:14:02 GMT +00:00 2024. Last time is Wed Feb 07 09:14:01 GMT +00:00 2024.
2024-02-07 10:14:00 D8:EC:E5:B9:8A:BC Wireless LANStation: 06:19:e4:e3:a4:7e connected on Channel: 48, SSID: biz-up-group-gast, 5GHz, Signal: -60dBm. Interface:wlan-2-3
2024-02-07 10:13:59 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd blocked by 802.1X auth failed on Channel: 48, SSID: bizupgroup, 5GHz, Signal: 0dBm, Download/Upload: 0/0, reason 23, Interface: wlan-2-1
2024-02-07 10:13:59 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd blocked by Hostapd on Channel: 48, SSID: bizupgroup, 5GHz, Signal: -51dBm, Download/Upload: 0 B/0 B, reason 3, Interface: wlan-2-1
2024-02-07 10:13:59 D8:EC:E5:B9:8A:BC Wireless LANStation: dc:8b:28:27:80:fd deauthenticated by 802.1X auth failed

I have enabled the Zyxel Support according to your knowledge base article.

P.S. If we need more test subjects, I am currently switching our old WiFi Solution to Zyxel - so i have 15 fresh access points on stock :)

Best regards,
Andy

Zyxel_Judy

Hi @bizupit ,

Thank you for providing the detailed information. We are currently reviewing the details you've shared and will update you on any new developments.

We appreciate your cooperation and patience!

Zyxel_Judy

Hi @bizupit ,

As our private discussion, the logs indicate that the client with MAC address dc:8b:28:27:80:fd has encountered an 802.1x authentication failure when attempting to connect to the AP D8:EC:E5:B9:8A:BC, specifically with the RADIUS server at 10.71.0.33:1812.

Please verify if the AP D8:EC:E5:B9:8A:BC has been added to the whitelist in your 10.71.0.33 RADIUS server's settings? This step is crucial for successful authentication.

You can also verify if the user host/BIZUP1879.tcl.local is included in the list of users on the RADIUS server at 10.71.0.33.

bizupit

Hi Judy,

sorry for my late reply - I was on vacation in the last two weeks.

As I already in my comment on 7th of February, it worked prior to the firmware update - same host, same access point same ip-address (which is relevant for the whitelist at the RADIUS server) - so yes, I can confirm, that host and access point were configured correctly at the radius server.

Sadly the Radius Server doesn't give me any helpful Information, the only thing that I can say for sure, is that it only happened after the firmware update and that i could reproduce it with more than 3 access points.

Best regards,

Andreas

Zyxel_Judy

Hi Andreas,

I wanted to provide you with an update following a recent check on the site's status:

1. The RADIUS server IPs are set to 10.71.0.33 and 10.71.0.34 for 802.1X SSID authentication.
2. Regarding the present APs at the site, the event logs for the firmware version 6.70 AP shows RADIUS server timeout errors

3. We remote SSH to your APs. It appears that the 6.40 version APs, which are operational, and the new 6.70 version APs have been assigned different subnets.

4, Additionally, the 6.70 APs are unable to ping the RADIUS server, unlike the 6.40 version APs, the subnet might not reach where the RADIUS server is located.

I recommend connecting a 6.70 firmware version AP to the same port as a 6.40 firmware version AP was connected to, and to ensure that the new assigned DHCP IP of the 6.70 version AP is recognized in the RADIUS server's trusted client list, then connect the wireless client and see the authentication result.

Thank you for your attention to this matter.

Regards,

Judy

bizupit

Hi Judy,

Sorry for the confusion, the accesspoint in the techlabor only is set up for the guest vlan as it is in public area and we didn't patch our office vlan there.

I pluged the access point D8:EC:E5:B9:8A:BC running version 6.70 in our IT office - so now we can reproduce the issue again - had to take it offline before my vacation as colleagues already complained about non working wifi.

When I want to connect my laptop (bizup2423) to the bizupgroup wifi, i get the auth error again:

Which didn't occur with version 6.40.
Also the AP B6 Pers has Clients in the wifi authenticated by 802.1x:

The Radius Log itself gives me only the following error:

User:
Security ID: TCL\BIZUP2423$
Account Name: host/BIZUP2423.tcl.local
Account Domain: TCL
Fully Qualified Account Name: TCL\BIZUP2423$

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: D8-EC-E5-B9-8A-BC:bizupgroup
Calling Station Identifier: 00-A5-54-00-CE-45

RADIUS Client:
Client Friendly Name: BIZUP2686_Zyxel_NWA110AX
Client IP Address: 10.71.1.106

Authentication Details:
Reason: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

It is not very informative - but at least It indicates, that the Radius Client was whitelisted correctly - as otherwise i would get an error like request from unauthorized radius client …

Best regards,
Andy

Zyxel_Judy

Hi @bizupit ,

Based on our private conversation, it appears that the "NPS Extension For Azure MFA" combined with the RADIUS modifications in firmware version 6.55 or newer is causing the 802.1x authentication failure. The issue was resolved upon uninstalling the "NPS Extension For Azure MFA".