Cloud authentication

nubira

Hi,

Please could you provide some details regarding the cloud authentication? We use the MAC-based solution and would like to take a closer look. The reason is that we had a bad experience with it last year.

Some questions:

• What happens if the site goes offline temporarily (no internet connection)?
• What happens if the Nebula platform is unavailable?
• Is it a real-time online solution, or are the MACs synced to the devices (FW, switch, AP)?

Could you please explain exactly how this feature works?

Thanks!

Zyxel_Tina

Hi @nubira,

Here's an explanation of Nebula Cloud Authentication Server (NCAS) and its behavior in various scenarios:

1. What happens if the site goes offline temporarily (no internet connection)?
   • Behavior depends on your SSID's "disconnect behavior" setting. If set to Allowed: Client devices can access without signing in (except explicitly blocked), devices may still connect. For strict control, you may change to Limited: Only currently authorized clients can access.
   • As for switches, when there's no internet connection and the switch cannot communicate with NCAS, authentication will fail.
2. What happens if the Nebula platform is unavailable?
   • Since Nebula and NCAS are independent services, authentication verification remains unaffected during Nebula outages.
3. Is it a real-time online solution, or are the MACs synced to the devices (FW, switch, AP)?
   • Nebula Cloud Authentication is a real-time online solution where authentication requests are processed through the Nebula cloud. Please note that our firewalls do not support MAC-based authentication, so this method doesn't apply to your scenario.
4. How MAC-based authentication works?
   • When a device tries to connect, it authenticates via the NCAS. The MAC addresses you configure in Nebula are stored in the cloud. The configured MAC addresses are not synced to local devices. Instead, devices query NCAS directly, which then responds whether the MAC should be allowed or blocked.

Hope this information helps :)

nubira

Hi @Zyxel_Tina,

Thank you for the detailed answer, it is very helpful!

So, if the internet connection is offline or the NCAS is unavailable, the LAN becomes unusable. That's bad news for me :(

Is there a way to check the availability of the NCAS (e.g.: downdetector.com)?

Thanks!

Zyxel_Tina

Hi @nubira,

For real-time updates on Nebula/NCAS outages or maintenance, please check the dedicated Nebula Status and Incidents in the forum. We post official notices there for any disruptions.

Alternatively, if you encounter an authentication failure, here are some suggestions to check.:

• Since TCP port 443 is used for Nebula Cloud Authentication, please ensure your uplink firewall/router allows this port.
• Run nslookup in cmd to verify that s.nebula.zyxel.com can be resolved.
• As mentioned previously (the SSID's "disconnect behavior" setting), the logs will show specific records indicating the server status when the NCAS server is unreachable and cloud authentication fails.