Bug: WPA3-Enterprise with 2FA and no internet after reauth time
Hello,
when i activate 2FA together with WPA3 Enterprise the client has no internet after the reauth time anymore. There is no auth/two-factor screen after the reauth time.
Test-Client: iPhone 13 Pro with iOS 15
As soon as I deactivate 2FA in the SSID settings, it works normally again.
Thanks!
when i activate 2FA together with WPA3 Enterprise the client has no internet after the reauth time anymore. There is no auth/two-factor screen after the reauth time.
Test-Client: iPhone 13 Pro with iOS 15
As soon as I deactivate 2FA in the SSID settings, it works normally again.
Thanks!
0
Accepted Solution
-
Hi Baba,
Once station auth timeout and can not go to the internet, it should automatically pop out the connection page.
In this case, Apple devices do not pop out login page automatically, even we disconnect and re-connect again.
There is a way to resolve IOS issue by key in HTTP://neverssl.com in your browser.
it will redirect to login page to cover this case.
Thank you.
BR, Dick0
All Replies
-
Hi baba,
We are testing the issue, we will keep posting the update status.
Thanks for your information.
0 -
Hi @Nebula_CSO,
I think the problem lies in WPA3 and the certificate in connection with iOS15. Even without 2FA, iOS clients no longer have Internet access after the reauth time.
0 -
Hi Baba,
Once station auth timeout and can not go to the internet, it should automatically pop out the connection page.
In this case, Apple devices do not pop out login page automatically, even we disconnect and re-connect again.
There is a way to resolve IOS issue by key in HTTP://neverssl.com in your browser.
it will redirect to login page to cover this case.
Thank you.
BR, Dick0 -
Hi @Nebula_CSO, neverssl.com fixed it, but this is not sustainable for my clients.
I would like to make a feature request: Skip the captive portal from the VLAN if the client is already authenticated via WPA3 Enterprise using Nebula Cloud Authentication. This would allow iOS clients to authenticate via WP3 Enterprise and still secure the VLAN with the Captive Portal.
0 -
Hi baba,
We will implement a new feature "MAC Auth+ Captive Portal".
The client can auth with their MAC address and pass the captive portal.
The feature will be launched in mid of July.
Based on your requirement, it is hard to achieve in the current networking model,
because the client fails to Auth with 802.1x it will be disconnected, it can not get IP and redirect to the captive portal.
I hope the MAC Auth + Captive Portal can fulfill your requirement.
Thank you.
BR, Dick
0
Categories
- All Categories
- 347 Beta Program
- 2.1K Nebula
- 114 Nebula Ideas
- 77 Nebula Status and Incidents
- 5K Security
- 44 USG FLEX H Series
- 246 Security Ideas
- 1.2K Switch
- 64 Switch Ideas
- 901 WirelessLAN
- 33 WLAN Ideas
- 5.8K Consumer Product
- 204 Service & License
- 326 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.8K FAQ
- 831 Nebula FAQ
- 401 Security FAQ
- 219 Switch FAQ
- 190 WirelessLAN FAQ
- 45 Consumer Product FAQ
- 136 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 71 About Community
- 61 Security Highlight