USG60W Applying wlan-security-profile with wpa-psk-encrypted to SSID breaks SSID
danyedinak
Posts: 51 Ally Member
On a USG60W, applying a wlan-security-profile that uses wpa-psk-encrypted to a wlan-ssid-profile causes the SSID to stop broadcasting and generates errors in the log.
Steps to reproduce
Steps to reproduce
- USG60W running 4.35(AAKZ.0C0) or 4.38(AAKZ.0) and factory default configuration
- From Management box, login to USG60W and Enable SSH
- Connect to USG60W by SSH
- Configure security profile and apply using following commands
- enable
- configure terminal
- wlan-security-profile secProStandard
- wpa-encrypt auto
- wpa-psk SomePassword!
- mode wpa2
- exit
- wlan-security-profile secProEncrypted
- wpa-encrypt auto
- wpa-psk-encrypted SomePassword!
- mode wpa2
- exit
- write
- wlan-ssid-profile default
- security secProStandard
- exit
- write
- Connect client device to the ZyXEL ssid using the SomePassword!
- Success
- Disconnect Client Device and return to SSH session on management device
- wlan-ssid-profile default
- security secProEncrypted
- exit
- write
- Scan for wireless networks on client device. ZyXEL ssid (or other ssid as appropriate) find it is no longer visible
- show logging entries (filter as desired)
- WARNING: #configure terminal wlan-security-profile secProEncrypted_slot2 exit, Security Profile's WPAPSK setting check failed.
- ERROR: #configure terminal wlan-security-profile secProEncrypted_slot2 wpa-psk U�������oS_mode><Downlink_rate_limit>0 mbps</Downlink_rate_limit><Uplink_rate_limit>0 mbps</Uplink_rate_limit><Forward_mode>localbridge</Forward_mode><SSID_VLAN_id>1</SSID_VLAN_id><Tunnel_VLANIF></Tunnel_VLANIF><Band_Select_mode>disable</Band_Select_mode><Band_Select_balance_ratio>0</Band_Select_balance_ratio><Band_Select_stop_threshold>0</Band_Select_stop_tC2ƻ\x1e, Parse error/command not found!
- show wlan-security-profile secProEncrypted
security profile: secProEncrypted
reference: 1
Description: Documenting wpa-psk-enc issue
Security: wpa2
Open_Share: open
WEP_Enc: 64
Def_Key: 1
Key1:
Key2:
Key3:
Key4:
ReAuth_timer: 0
Idle_timeout: 300
Group_key_update_timer: 30000
WPA_enc: aes
Preshared_key: ����@[~l
WPA2_PreAuth: yes
EAP_auth: no
EAP_internal_external: internal
EAP_internal_method: default
Inner_Radius_IP_addr: 127.0.0.1
Inner_Radius_port: 1812
Inner_Radius_secret: 12345678
Radius_acct_activate: no
Radius_acct_interim_interval: 10
Internal_eap_proxy: no
MAC_auth: no
MAC_auth_account_delimiter: dash
MAC_auth_account_case: upper
MAC_auth_calling_station_id_delimiter: dash
MAC_auth_calling_station_id_case: upper
MAC_auth_method: default
Dot11w: no
Dot11w_op: 1
Dot11r: no
Dot11r_over_the_ds: no
Dot11r_mobility_domain_id:
Dot11r_KEK:
Radius_switch_1: no
Radius_IP_addr_1:
Radius_port_1:
Radius_secret_1:
Account_switch_1: no
Account_IP_addr_1:
Account_port_1:
Account_secret_1:
Radius_switch_2: no
Radius_IP_addr_2:
Radius_port_2:
Radius_secret_2:
Account_switch_2: no
Account_IP_addr_2:
Account_port_2:
Account_secret_2:
0
All Replies
-
@ danyedinak
Regarding to this case,
Thanks for your information.
It seems its shows gibberish characters on pre-shared key field cause additional issue occur.
We have confirmed this issue internally, so you could configure the Pre-Shared Key from the GUI to avoid this issue currently. Also, any modification will keep you post.
0 -
Zyxel_Charlie . Aplogies for the long delay in replying.
I just tested this in V4.39(AAKZ.0) and I see that it's still an issue. I also don't see it listed as a known issue in the release notes for 4.39?
As far as using the GUI, that would be no different than simply using wpa-psk at the command line (or in a script, for example).
If the command wpa-psk-encrypt isn't going to work, maybe it's best to just remove it completely?
Adding to the documentation on this issue, while an SSID using the wpa-psk-encrypt profile is assigned to one or more of the slots, connecting to the console via RS232 shows this error on boot :ERROR: wlan-security-profile testEncryptSecPro_slot2 wpa-psk ▒▒▒▒@[~l% zysh_wtp(after 'wpa-psk'): Parse errorERROR: wlan-security-profile testEncryptSecPro_slot1 wpa-psk ▒▒▒▒@[~lhostapd.wlan-1 is dead, restart hostapd process at Mon Aug 17 21:47:29 2020and this recurring failure, roughly every 4 minutes :hostapd.wlan-1 is dead, restart hostapd process at Tue Aug 18 01:10:37 2020hostapd.wlan-2 is dead, restart hostapd process at Tue Aug 18 01:10:37 2020hostapd.wlan-1 is dead, restart hostapd process at Tue Aug 18 01:14:46 2020hostapd.wlan-2 is dead, restart hostapd process at Tue Aug 18 01:14:46 2020
The error goes away once the SSID with the encrypted psk security profile is removed from the slots, as in :
no slot1 ssid-profile 30 -
@danyedinak
The password(PSK) format does not support wpa-psk-encrypted with plain text, on psk field, you can enter command "wpa-psk" without "encrypted".1. wlan-security-profile secProEncrypted
2. wpa-encrypt auto
3. wpa-psk SomePassword!
4. mode wpa2
5. exit
6. write
However, if you want to type "wpa-psk-encrypted", the password should be Hash value, since device only accept "Hash value" after"wpa-psk-encrypted".
EX:
You can check the firmware from private message which "wpa-psk-encrypted with plain text" will not be allowed to enter.
Charlie
0 -
Hi @Zyxel_Charlie ,
I haven't tested the firmware from your message yet, because I've been trying, unsuccessfully, to apply a hash in V4.39(AAKZ.0). With each hash attempt I get an error in the logs (but none when setting the hash or applying profiles).
The logs show an alert and error, something like the following :
2020-09-13 18:30:17alert file-manageERROR: #configure terminal wlan-security-profile testSecPro_slot1 wpa-psk ���;��rݍ19�$�P���I\x02��0\x1dgzO}P\x01/H3�\x10�h`�\x0fp�K?��-�[�X�\x7f���ꯂ�ꨕ��P4��g, Parse error/command not found!
This happens if I hash the password using MD5, sha256 and sha512.
Since you appear to be able to make this work, how are you hashing the password?0 -
Regarding to this case,
Can you apply the firmware which I private message to you first, since the solution was included in.
Charlie
0 -
I will, first chance I get. But, if I read your message about that firmware, it only prevents the entry of a plain text wpa-psk. As great as that would be, it doesn't accomplish the ideal goal here, which is to successfully hash the psk so that the wpa-psk-encrypted works. Or, is there more in that firmware that would help properly hash the psk?0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight