VLAN and WiFi/SSID Nebula authentication at the same time

baba
baba Posts: 280  Master Member
First Comment Friend Collector First Anniversary
Hello!

If in the Security Gateway USG Flex 200 the VLAN is secured with Nebula Authentication and at the same time an SSID with WPA3 Enterprise with Nebula Authentication is used, the WiFi clients do not get Internet and a certificate is delivered from the USG Flex 200 instead of the nebula-default-certificate.

How can I secure WiFi and VLAN with Nebula Authentication at the same time?

Thanks!

Best Answers

  • Zyxel_Richard
    Zyxel_Richard Posts: 254  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
    edited May 2022 Answer ✓
    Hi @baba,

    Let me further explain the detail process of the first approach:

    1. On the SSID Profile, set WPA3-Enterprise with NCAS (So when user want to access Wi-Fi, they have to enter the correct username/password first) 


    2. And on the Firewall setting page, You can then enable the sign-on method on the given subnet, so that both wired and wireless client will need to pass the portal authentication after they access the network. (they'll see an authentication web page as soon as they connect to the network)

    (If the authentication page doesn't show up, kindly open the browser any try to enter "neverssl.com")



    3. And if you want to apply Two-Factor authentication only for wireless clients, you can enable it on SSID profile. If you want to apply it on both wired and wireless client, you can enable it on the firewall setting page.

    As for the other approach, you can separate Wireless and Wired client into two VLAN subnets, so that you can create Wired sign-on method on firewall setting (for wired subnet), and configured wireless authentication method on the SSID advanced setting page.

    Best Regards,
    Richard



  • Zyxel_Richard
    Zyxel_Richard Posts: 254  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
    edited May 2022 Answer ✓
    Hi @baba can you enable the zyxel support under [Help > Support Request > Invite zyxel support as the administrator > save], and provide us your Org and Site name, so that we can further check your settings in?

    Also, when you face the certificate issue, please open your safari browser, and then enter a url "neverssl.com", and see if the authentication web page showed up? 

    I'll also contact you through private message for further issue diagnostic

    Best Regards,
    Richard
«1

All Replies

  • Zyxel_Richard
    Zyxel_Richard Posts: 254  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
    edited May 2022
    For other community members, this discussion is split from the original discussion thread below, kindly check it if you're intersted in it : https://community.zyxel.com/en/discussion/13398/wpa-enterprise-wifi-certificate-error-while-fetching-mails-from-office365.

    Please noted that, the sign-on function on the firewall will apply to all the traffic in the entire subnet you've assigned, including traffic from both wireless and wired rj45 client.

    So to achieve your goals (set sign-on method for wired and wireless clients), there are two approaches for you:

    1. You can simply enable the sign-on method on the gateway, so that all the traffic from both wired and wireless client can be intercepted.

    2. If you want to set different sign-on method to wired and wireless clients, you can create an additional VLAN (on gateway and AP) for the wireless clients. So that you can customize the wireless sign-on method on the AP, and customize the wired sign-on method on the gateway.

    Best Regards,
    Richard
  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary
    Hi @Zyxel_Richard,

    with WPA3 Enterprise it is not possible to disable cloud authentication, so i cant implement your solution. Do you have any other idea?

    Thanks!
  • Zyxel_Richard
    Zyxel_Richard Posts: 254  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
    edited May 2022 Answer ✓
    Hi @baba,

    Let me further explain the detail process of the first approach:

    1. On the SSID Profile, set WPA3-Enterprise with NCAS (So when user want to access Wi-Fi, they have to enter the correct username/password first) 


    2. And on the Firewall setting page, You can then enable the sign-on method on the given subnet, so that both wired and wireless client will need to pass the portal authentication after they access the network. (they'll see an authentication web page as soon as they connect to the network)

    (If the authentication page doesn't show up, kindly open the browser any try to enter "neverssl.com")



    3. And if you want to apply Two-Factor authentication only for wireless clients, you can enable it on SSID profile. If you want to apply it on both wired and wireless client, you can enable it on the firewall setting page.

    As for the other approach, you can separate Wireless and Wired client into two VLAN subnets, so that you can create Wired sign-on method on firewall setting (for wired subnet), and configured wireless authentication method on the SSID advanced setting page.

    Best Regards,
    Richard



  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary
    Hi @Zyxel_Richard this solution isn't working. If I enable sign-on on firewall and wifi with wpa3 enterprise the certificate of the firewall instead of the right nebula-default-certificate is delivered. the wifi clients get no internet.

    please have a look to: https://community.zyxel.com/en/discussion/13398/wpa-enterprise-wifi-certificate-error-while-fetching-mails-from-office365#latest
  • Zyxel_Richard
    Zyxel_Richard Posts: 254  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
    edited May 2022 Answer ✓
    Hi @baba can you enable the zyxel support under [Help > Support Request > Invite zyxel support as the administrator > save], and provide us your Org and Site name, so that we can further check your settings in?

    Also, when you face the certificate issue, please open your safari browser, and then enter a url "neverssl.com", and see if the authentication web page showed up? 

    I'll also contact you through private message for further issue diagnostic

    Best Regards,
    Richard
  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary
    Hi @Zyxel_Richard,

    neverssl.com fixed it but its not sustainable for my clients. Apple said they have no bug and captive portals will work correctly.

    I would like to make a feature request: Skip the captive portal from the VLAN if the client is already authenticated via WPA3 Enterprise using Nebula Cloud Authentication. This would allow iOS clients to authenticate via WP3 Enterprise and still secure the VLAN with the Captive Portal.
  • Zyxel_Richard
    Zyxel_Richard Posts: 254  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
    edited May 2022
    Hi @baba

    After checking the settings of your Nebula site, share our findings below:

    This is our currently design that separate WPA2/3-enterprise authentication and Firewall portal authentication, since one is for WiFI access control, and the other is for Internet access control.

    We can for sure make a feature request and evaluate internally. For short run in your case:

    1. You can separate the Ethernet traffic to the other VLAN, and apply the firewall authentication to that subset, this way wireless clients don’t need to do double authentication.

    2. If you want to remain in the current structure, you can enable 2FA settings in the SSID, with the 2FA settings, AP will synchronize the login status with firewall, so wireless client only need to do authentication once ( WPA-Enterprise + 2FA)

    Best Regards,
    Richard

  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary
    Hi @Zyxel_Richard,

    why does 2. only work with 2FA? There are problems with the 2FA request on iOS devices, just like with the Captive Portal, that the window does not open automatically. Is there any way to have the login status sync with the Firwall even without 2FA? If not I would like to make a feature request.

    Thanks!

  • Zyxel_Richard
    Zyxel_Richard Posts: 254  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
    Hi baba,

    We can made a feature request for this.

    The reason why they currently don’t synchronize is because, these two mechanisms (WPA2/3-enterprise authentication and Firewall portal authentication) are made for  different purpose: one is for WiFI access control, and the other is for Internet access control.

    so if some user pass the WPA3-Enterprise, they can get IP and access other devices in the same subnet, but they need to pass the portal authentication on firewall to access the internet.

    Best regards,
    Richard
  • baba
    baba Posts: 280  Master Member
    First Comment Friend Collector First Anniversary
    Hi @Zyxel_Richard!

    I don't understand, i thought the captive portal in the firewall is there to join the vlan (Firewall -> Authentication Method -> Network access) and not to get internet access?

Nebula Tips & Tricks