This article describes how to enable and use Two-Factor Authentication (2FA) for a Captive Portal SSID in Zyxel Nebula Control Center (NCC).
2FA enhances network access security by requiring users to enter a one-time verification code generated by an authenticator application (for example, Google Authenticator) in addition to their Nebula cloud credentials.
This feature is supported on selected cloud-managed access points (see the supported model list in NCC).
Prerequisites
Nebula Control Center organization and site configured
Cloud-managed AP with firmware supporting Captive Portal + 2FA
SSID configured with Nebula Cloud Authentication
User account registered in Nebula
Authenticator application installed on the client device (e.g., Google Authenticator)
Configuration Steps
Log in to Nebula Control Center.
Navigate to:
Configure → Access point → SSID advanced settingsSelect the desired SSID.
Under Sign-on method, choose:
Sign-on with Nebula cloud authenticationEnable the toggle Two-Factor authentication (2FA).
Click Save to apply the configuration.
Once enabled, users authenticating through the Captive Portal will be required to complete 2FA enrollment (first login) and verification.
End-User Authentication Flow (Smart Device Example)
When a user connects to the configured SSID:
Initial Login
The user enters their Nebula username/email and password.
Click Login.
2FA Enrollment (First-Time Setup)
The portal prompts the user to set up Google Authenticator.
The user scans the displayed QR code using the authenticator app.
Alternatively, a manual setup key can be entered.
Click Next.
Account Linking
The authenticator app generates a one-time verification code (OTP).
The user enters the code in the Captive Portal.
Click Verify.
Successful Enrollment
The system confirms that 2FA is successfully enabled.
The user gains network access.
For subsequent logins, only the OTP verification step is required after entering credentials.
Comments
0 commentsPlease sign in to leave a comment.