802.1x Cloud Auth Security
I have not seen any updates to the KB article demonstrating device authentication via WPA2/3 Enterprise with LEAP as phase 1 and NONE as phase 2. This is insecure and goes against current best practice. Has there been an update to this config method? If so can someone please direct me to it? If not Zyxel should update Nebula Cloud authentication as soon as possible. Some devices already refuse to retain network settings due to the poor security, and more and more newer devices will show similar behavior as time goes on.
0
All Replies
-
Hi @cglavanNow we will use the EAP-PEAP as phase 1 from devices to AP.And AP will transmit data via TLS as phase 2 from AP to NCAS.You don’t worry about the security with transmit dataAbout “Some devices already refuse to retain network settings due to the poor security”, if you have any actual cases, please share us. Let us check what issue does it have?ThanksJay0
-
Hi Jay,
Android devices running GrapheneOS will not retain network settings because phase 2 option 'none' was removed due to weak security.0 -
Hi @ cglavanHere is the screenshot that we use Wireshark to capture the AP to NCAS packet.You can see that the packets are encrypted by TLSv 1.2. You can’t see the information without de-encapsulation.Because we don’t have a “GrapheneOS” device, we can’t test it for you. But all of our products will follow the security Wi-Fi policy with Android and IOS. Please ignore that message, thank you.Jay0
-
Hi Jay,
This is a change that came in Android 11 due to the inherent MITM risks in not requesting and/or validating the server-side certificate on the client. Evil twin and other rogue AP attacks are commonplace and becoming ever more advanced. For enterprise-level security, not requiring the certificate check-- or worse, auto-accepting it-- isn't really acceptable as the only cloud-based client configuration option...0 -
Hi @cglavanFirst, AP gives the request to the cloud server by encryption transmission(TLSv1.2). And then the cloud server will exchange the key and give the AP the certification. AP will check this certification is trusted. They will send the data after these steps.The middlemen can't connect to the AP and Server by forwarding the data, because they can't de-encryption the packet.Jay0
-
Okay. Is there a certificate that can be installed on end devices then so that they trust the connection? The issue is that if there's no configurable second phase and thus no way to store the network on the end device with a 'no certificate' option, then the end device has to re-verify the trust every single time it connects.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight