Bug: WPA3-Enterprise with 2FA and no internet after reauth time

baba
baba Posts: 280  Master Member
First Anniversary 10 Comments Friend Collector
edited May 2022 in Nebula
Hello,

when i activate 2FA together with WPA3 Enterprise the client has no internet after the reauth time anymore. There is no auth/two-factor screen after the reauth time. 

Test-Client: iPhone 13 Pro with iOS 15

As soon as I deactivate 2FA in the SSID settings, it works normally again.

Thanks!

Accepted Solution

  • Zyxel_CSO
    Zyxel_CSO Posts: 375  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2022 Answer ✓
    Hi Baba,

    Once station auth timeout and can not go to the internet, it should automatically pop out the connection page.
    In this case, Apple devices do not pop out login page automatically, even we disconnect and re-connect again. 
    There is a way to resolve IOS issue by key in HTTP://neverssl.com in your browser.
    it will redirect to login page to cover this case.

    Thank you.
    BR, Dick

All Replies

  • Zyxel_CSO
    Zyxel_CSO Posts: 375  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi baba,

    We are testing the issue, we will keep posting the update status.

    Thanks for your information.


  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    Hi @Nebula_CSO,

    I think the problem lies in WPA3 and the certificate in connection with iOS15. Even without 2FA, iOS clients no longer have Internet access after the reauth time.
  • Zyxel_CSO
    Zyxel_CSO Posts: 375  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2022 Answer ✓
    Hi Baba,

    Once station auth timeout and can not go to the internet, it should automatically pop out the connection page.
    In this case, Apple devices do not pop out login page automatically, even we disconnect and re-connect again. 
    There is a way to resolve IOS issue by key in HTTP://neverssl.com in your browser.
    it will redirect to login page to cover this case.

    Thank you.
    BR, Dick
  • baba
    baba Posts: 280  Master Member
    First Anniversary 10 Comments Friend Collector
    Hi @Nebula_CSO, neverssl.com fixed it, but this is not sustainable for my clients.

    I would like to make a feature request: Skip the captive portal from the VLAN if the client is already authenticated via WPA3 Enterprise using Nebula Cloud Authentication. This would allow iOS clients to authenticate via WP3 Enterprise and still secure the VLAN with the Captive Portal.
  • Zyxel_CSO
    Zyxel_CSO Posts: 375  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi baba,

    We will implement a new feature "MAC Auth+ Captive Portal".
    The client can auth with their MAC address and pass the captive portal.
    The feature will be launched in mid of July.

    Based on your requirement, it is hard to achieve in the current networking model,
    because the client fails to Auth with 802.1x it will be disconnected, it can not get IP and redirect to the captive portal.

    I hope the MAC Auth + Captive Portal can fulfill your requirement.

    Thank you.
    BR, Dick



Nebula Tips & Tricks