USG60W Applying wlan-security-profile with wpa-psk-encrypted to SSID breaks SSID

danyedinak
danyedinak Posts: 49  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security
On a USG60W, applying a wlan-security-profile that uses wpa-psk-encrypted to a wlan-ssid-profile causes the SSID to stop broadcasting and generates errors in the log.

Steps to reproduce
  1. USG60W running 4.35(AAKZ.0C0) or 4.38(AAKZ.0) and factory default configuration
  2. From Management box, login to USG60W and Enable SSH
  3. Connect to USG60W by SSH
  4. Configure security profile and apply using following commands 
  5. enable
  6. configure terminal
  7. wlan-security-profile secProStandard
  8. wpa-encrypt auto
  9. wpa-psk SomePassword!
  10. mode wpa2
  11. exit
  12. wlan-security-profile secProEncrypted
  13. wpa-encrypt auto
  14. wpa-psk-encrypted SomePassword!
  15. mode wpa2
  16. exit
  17. write
  18. wlan-ssid-profile default
  19. security secProStandard
  20. exit
  21. write
  22. Connect client device to the ZyXEL ssid using the SomePassword!
  23. Success
  24. Disconnect Client Device and return to SSH session on management device
  25. wlan-ssid-profile default
  26. security secProEncrypted
  27. exit
  28. write
  29. Scan for wireless networks on client device. ZyXEL ssid (or other ssid as appropriate) find it is no longer visible
  30. show logging entries (filter as desired)
  31. WARNING: #configure terminal wlan-security-profile secProEncrypted_slot2 exit, Security Profile's WPAPSK setting check failed.
  32. ERROR: #configure terminal wlan-security-profile secProEncrypted_slot2 wpa-psk U�������oS_mode><Downlink_rate_limit>0 mbps</Downlink_rate_limit><Uplink_rate_limit>0 mbps</Uplink_rate_limit><Forward_mode>localbridge</Forward_mode><SSID_VLAN_id>1</SSID_VLAN_id><Tunnel_VLANIF></Tunnel_VLANIF><Band_Select_mode>disable</Band_Select_mode><Band_Select_balance_ratio>0</Band_Select_balance_ratio><Band_Select_stop_threshold>0</Band_Select_stop_tC2ƻ\x1e, Parse error/command not found!
  33. show wlan-security-profile secProEncrypted
security profile: secProEncrypted
  reference: 1
  Description: Documenting wpa-psk-enc issue
  Security: wpa2
  Open_Share: open
  WEP_Enc: 64
  Def_Key: 1
  Key1: 
  Key2: 
  Key3: 
  Key4: 
  ReAuth_timer: 0
  Idle_timeout: 300
  Group_key_update_timer: 30000
  WPA_enc: aes
  Preshared_key: ����@[~l
  WPA2_PreAuth: yes
  EAP_auth: no
  EAP_internal_external: internal
  EAP_internal_method: default
  Inner_Radius_IP_addr: 127.0.0.1
  Inner_Radius_port: 1812
  Inner_Radius_secret: 12345678
  Radius_acct_activate: no
  Radius_acct_interim_interval: 10
  Internal_eap_proxy: no
  MAC_auth: no
  MAC_auth_account_delimiter: dash
  MAC_auth_account_case: upper
  MAC_auth_calling_station_id_delimiter: dash
  MAC_auth_calling_station_id_case: upper
  MAC_auth_method: default
  Dot11w: no
  Dot11w_op: 1
  Dot11r: no
  Dot11r_over_the_ds: no
  Dot11r_mobility_domain_id: 
  Dot11r_KEK: 
  Radius_switch_1: no
  Radius_IP_addr_1: 
  Radius_port_1: 
  Radius_secret_1: 
  Account_switch_1: no
  Account_IP_addr_1: 
  Account_port_1: 
  Account_secret_1: 
  Radius_switch_2: no
  Radius_IP_addr_2: 
  Radius_port_2: 
  Radius_secret_2: 
  Account_switch_2: no
  Account_IP_addr_2: 
  Account_port_2: 
  Account_secret_2: 

All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @ danyedinak
    Regarding to this case,
    Thanks for your information.
    It seems its shows gibberish characters on pre-shared key field cause additional issue occur.

    We have confirmed this issue internally, so you could configure the Pre-Shared Key from the GUI to avoid this issue currently. Also, any modification will keep you post.
  • danyedinak
    danyedinak Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    edited August 2020
    Zyxel_Charlie . Aplogies for the long delay in replying.

    I just tested this in V4.39(AAKZ.0) and I see that it's still an issue. I also don't see it listed as a known issue in the release notes for 4.39?

    As far as using the GUI, that would be no different than simply using wpa-psk at the command line (or in a script, for example).

    If the command wpa-psk-encrypt isn't going to work, maybe it's best to just remove it completely? 

    Adding to the documentation on this issue, while an SSID using the wpa-psk-encrypt profile is assigned to one or more of the slots, connecting to the console via RS232 shows this error on boot : 
    ERROR: wlan-security-profile testEncryptSecPro_slot2  wpa-psk ▒▒▒▒@[~l% zysh_wtp(after 'wpa-psk'): Parse error
    ERROR: wlan-security-profile testEncryptSecPro_slot1  wpa-psk ▒▒▒▒@[~lhostapd.wlan-1 is dead, restart hostapd        process at Mon Aug 17 21:47:29 2020

    and this recurring failure, roughly every 4 minutes : 

    hostapd.wlan-1 is dead, restart hostapd process at Tue Aug 18 01:10:37 2020
    hostapd.wlan-2 is dead, restart hostapd process at Tue Aug 18 01:10:37 2020
    hostapd.wlan-1 is dead, restart hostapd process at Tue Aug 18 01:14:46 2020
    hostapd.wlan-2 is dead, restart hostapd process at Tue Aug 18 01:14:46 2020

    The error goes away once the SSID with the encrypted psk security profile is removed from the slots, as in : 
     no slot1 ssid-profile 3
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    @danyedinak
    The password(PSK) format does not support wpa-psk-encrypted with plain text, on psk field, you can enter command "wpa-psk" without "encrypted".

    1.    wlan-security-profile secProEncrypted

    2.    wpa-encrypt auto

    3.    wpa-psk SomePassword!

    4.    mode wpa2

    5.    exit

    6.   write

    However, if you want to type "wpa-psk-encrypted", the password should be Hash value, since device only accept "Hash value" after"wpa-psk-encrypted".

    EX:




    You can check the firmware from private message which "wpa-psk-encrypted with plain text" will not be allowed to enter.

    Charlie

     


  • danyedinak
    danyedinak Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    edited September 2020
    Hi @Zyxel_Charlie ,
    I haven't tested the firmware from your message yet, because I've been trying, unsuccessfully, to apply a hash in V4.39(AAKZ.0). With each hash attempt I get an error in the logs (but none when setting the hash or applying profiles).

    The logs show an alert and error, something like the following :

    2020-09-13 18:30:17                                               
         alert               file-manage                                                            
         ERROR: #configure terminal wlan-security-profile testSecPro_slot1  wpa-psk ���;��rݍ19�$�P���I\x02��0\x1dgzO}P\x01/H3�\x10�h`�\x0fp�K?��-�[�X�\x7f���ꯂ�ꨕ��P4��g, Parse error/command not found!

    This happens if I hash the password using MD5, sha256 and sha512.

    Since you appear to be able to make this work, how are you hashing the password?
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    @danyedinak

    Regarding to this case,

    Can you apply the firmware which I private message to you first, since the solution was included in.

    Charlie

  • danyedinak
    danyedinak Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    I will, first chance I get. But, if I read your message about that firmware, it only prevents the entry of a plain text wpa-psk. As great as that would be, it doesn't accomplish the ideal goal here, which is to successfully hash the psk so that the wpa-psk-encrypted works. Or, is there more in that firmware that would help properly hash the psk?

Security Highlight