SMS Authentication of Users in Omada Hotspot Portal Server
SMS Authentication of Users in Omada Hotspot Portal Server
We are trying to use to use SMS Portal authentication for our *now 59 AP EAP Wifi System in India. We are currently using a password based mechanism to authenticate users (which works just fine), but now are forced to move to SMS authentication for compliance with the country's regulatory norms for Public-Wifi.
Have a few questions:
(1) First (Blue Box), does TP-Link have a plan or method to support any non-Twilio Bulk SMS provider with the Omada Hotspot System ? Or it will be only Omada+ Twilio or 3rd Party Hotspot Application Server integrated with its own Bulk SMS provider service. ? Twilio Bulk SMS in India is an international SMS VAS service and from the plans put on their websitre look to be 12-24 times or more expensive than Local Bulk SMS providers in India.
(2) Second (Read box) mentions authentication timeout which I am able to set from 1 minute to almost 30 days. If I understand this *correctly, it means that once authneticated by portal (i.e. the OTP from received SMS is validated by Omada Hotspot App Server), the system will retain this authentication for configured timeout period (max. 30 days) and will not *present the Portal Page and challenge user for OTP authentication for the authentication period. Is my understanding correct ?
(3) Thirdly, Is their a way for system administrators to access the authentication record (log) and see that which Client (MAC-ID) was authenticated using what Mobile No. (that received SMS) and was assigned what IP and this happenned at what time. This N-tuple Information we heard is required to be archived and accessible by law-enforcement to track the perpetuator of any cyber crime using the Hotspot.
The country regulatory norm for Wifi and issues plaguing the ecosystem are summarized here:
https://factordaily.com/public-wifi-could-finally-be-coming-in-from-the-cold/
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Here are the reply for your questions.
1. Does TP-Link have a plan or method to support any non-Twilio Bulk SMS provider with the Omada Hotspot System ?
==> For now, we have no plan to support other SMS provider other than Twilio.
2. I understand this *correctly, it means that once authneticated by portal (i.e. the OTP from received SMS is validated by Omada Hotspot App Server), the system will retain this authentication for configured timeout period (max. 30 days) and will not *present the Portal Page and challenge user for OTP authentication for the authentication period. Is my understanding correct ?
==> Yes, you are right.
3. Is their a way for system administrators to access the authentication record (log) and see that which Client (MAC-ID) was authenticated using what Mobile No. (that received SMS) and was assigned what IP and this happenned at what time?
==> Now we have added log about the authentication. You can see the anthentication from the log.
- Copy Link
- Report Inappropriate Content
Here are the reply for your questions.
1. Does TP-Link have a plan or method to support any non-Twilio Bulk SMS provider with the Omada Hotspot System ?
==> For now, we have no plan to support other SMS provider other than Twilio.
2. I understand this *correctly, it means that once authneticated by portal (i.e. the OTP from received SMS is validated by Omada Hotspot App Server), the system will retain this authentication for configured timeout period (max. 30 days) and will not *present the Portal Page and challenge user for OTP authentication for the authentication period. Is my understanding correct ?
==> Yes, you are right.
3. Is their a way for system administrators to access the authentication record (log) and see that which Client (MAC-ID) was authenticated using what Mobile No. (that received SMS) and was assigned what IP and this happenned at what time?
==> Now we have added log about the authentication. You can see the anthentication from the log.
- Copy Link
- Report Inappropriate Content
@forrest : Thanks, all queries are answered. Two followups queries:
(1) Any plans by TpLink to increase the maximum authentication timeout limit beyond 30 days ? Say 90, 180, 365 days. The idea is we just don't want to redo the authentication frequently as we just neded to have the map of (Mobile, Mac-ID, IP, Date, time) in the logs once and then use other logs to investigate any activities.
(2) In OC200 controller settings, their is an tabbed pane named "Auto backup". Can that be used to automatically backup these "authentication (or all) logs" to Thumb drive, apart from settings, statistics etc ?
Also why would it need the controller to be powered by PoE to do autobackup on connected USB flash drive as the tooltip seems to suggest ? Can this feature of autobackup not be used if OC200 is powered by a 5V Micro USB charger ? How about backup on a network drive share (CIFS/Samba) ?
- Copy Link
- Report Inappropriate Content
(1) Any plans by TpLink to increase the maximum authentication timeout limit beyond 30 days ?
30-day is enough for most application scenarios, therefore, we have no plan to expand the authentication time for now.
(2) In OC200 controller settings, their is an tabbed pane named "Auto backup". Can that be used to automatically backup these "authentication (or all) logs" to Thumb drive, apart from settings, statistics etc ?
The log will not be backuped, now we can only choose to backup the settings and data.
- Copy Link
- Report Inappropriate Content
APRC-P3-Tel wrote
(2) In OC200 controller settings, their is an tabbed pane named "Auto backup". Can that be used to automatically backup these "authentication (or all) logs" to Thumb drive, apart from settings, statistics etc ?
To save OC200 logs on a thumb drive send the log to a log server and set up an appropriate rsyslog filter rule.
How about backup on a network drive share (CIFS/Samba) ?
If you need to back up settings and historical data on a Samba share you should set up a server-based Omada Controller using the Omada software controller. The OC200 is for smaller installations which do not have a server running 24/7.
- Copy Link
- Report Inappropriate Content
@forrest : The current implementation of authentication log for SMS authentication does not entirely help us with meeting the real uintention of the Public Wifi regulations in india. Here is what is the sample log that we got:
1 2020-01-01T08:37:02.120Z - Omada Controller - - android-a41f514eb53187a0 authenticated with SMS to SSID "APRC-P3 Visitor" on T4-Vehicle-Exit-Gate(E-Block)
In the above "android-a41f514eb53187a0"is the android host or the device that got authenticated. This log information does not carry the Mobile No., Mac-Address of the device We have the following issue
(1) If we look at Omada log, we get a hostname, which the user himself cannot see anywhere on android "system" application.
(2) We looked up this device on "insight' tab of omada, by its hostname, and we could get its Mac-Address.
(3) To get Private Local IP-Address, corresponding to the Mac, we could get the Map from DHCP /ARP log of router [this happens before authentication]
(4) If we go to Twilio dashboard, we can see mobile nos., to which messages were sent at that time (maybe more than 1, but no other info such as device host, mac, private IP, etc)
Therefore the problem is if the policeman come asking for a copy of all log records if a cyber crime is committed using our network, we can give him but he would not be able to create the Map of (Mac-Address, IP Address, Mobile No.) on that that day to do any further investigation and zero down on any suspects. Similarly if mobile faces an authentication timeout, atleast a log with Mac address of mobile device should be written.
It would be of great help if the Omada application can output in the authentication log, give some information such as Mac-Address, Mobile No [IP & OTP not required]. This is a *transaction state information which only the Omada Hotspot server has. Not Twilio, not our Router. Can you guys support this in the next firmware upgrade ?
Also by using syslog server (FastVue), we could collect and we can store logs of all Omada and Router application in a central PC as suggested by @R1D2. This is pretty useful for detective work if needed and we can also back it up fopr redendancy.
- Copy Link
- Report Inappropriate Content
Hi there,
I am also currently looking for a new solution for my hotel to replace my outdated Zyxel N4100 system. Being in France we have more or less the same requirements to identify the guest users.
Mobile number or Username, Mac-Adress, IP-Adress, Connection-time, Destination-IP (not 100% sure but for phone calls you have to log the destination phone number so I guess same applies to Server-IP)
If you use the Username apporach (Voucher) you have to store the user identification form for one year (Name etc.) So yes there is quite a lot of data logging. I might dig out an old log later from my server once I am back home.
So currently your system would not meet the legal requirements in France and probably a few other countries in Europe too.
Maybe have a look at Zyxel as they have it right from the legal approach in Europe, eventhough their hardware is outdated (UAG4100) thats why I thought that your system might just be the right thing.
Best regards Lens
- Copy Link
- Report Inappropriate Content
We have managed to implement SMS authentication of WiFI users with Omada Controller system and we are also making some progress with the law enforcement requirements
(1) While the Log still could be improved with additional information like Mac address atleast (an outstanding requirement for TpLink), we do have a map of Mac-Address and Mobile No laid out neatly in Sites --> Hostpot Manager --> Guest Tab (illustration below):
So from log, we get android host, From insight host to Mac mapping and then from the above table, we get Private IP addresses to build this relation. If we examine Router ARP and/or DHCP logs, the map of the Mac to the Private LAN IP can also be obtained. Its manual, multistep process but very much doable and since such forsenic analaysis requirement is not very common, I am now less concerned.
So on LAN side, this entire information tuple can be built (I wanted it in log itself for simplicity)
(Mobile No., Mac-Address, LAN Private IP-Address)
But law enforcment will come only with Destination IP, Destination Port, and WAN Public-IP address of Firewall Router Edge device and maybe ephemeral WAN port of Firewall Router). They don't have LAN side information because of NAT, Double NAT etc.
So the next step is bridging the WAN side information with LAN side to get this tuple:
(WAN-Public-IP address, WAN ephemeral-Port, LAN Private IP-Address)
Am still working on this though. The mapping information is in Firewall state tables and I wanted a state table entry to be logged when created and deleted (timeout, purged, etc). generally consumer routers and entry level enterprise routers don't even show these, forget logging. I am trying to use pfSense, built it has too much logging and again does not seem to log this. They have Firewall state table dumps and it maybe possible to dump every N minutes and backup this information to aid in the search. But it may generate a lot of data, if not done well. I am keen to write my own pfSense-code/application/package to implement this rather than make a new data processing problem.
(2) Tplink can store all information for 1 year in omada system (configurable item). So it meets our requirement. For the logs and other info storage we can give (its not very cheap)
(3) Tplink Omada uses Twilio. Twilio Bulk SMS rate is 5-6 times local SMS provider rates in India, but given that we make make suthentication timeout to 30 days, we are getting a daily usage of $1 in non-COVID19 lockdown situation in community and 5cents in the lockdown situation. So cost is no longer a concern, but a little usability could be improved if we can have 3/6/12 months as timeout value options. On the positive side, Twilio seems to be very very good, stable and reliable and this makes the whole auth system very easyt to implement, use and is very stable. I am very happy now with Twilio.
(4) UAG4100 will not meet our requirement. We wan't multi Gigabit speed, since we have 4 x 1 Gbps WAN connections (will shortly expand to 6), 4-6 LAN ports aggregated, VLAN support, multiple DHCP pools, and lot of other small features. pFsense seems to be 95% suitable (except the above law enforcement problem) and we can always buy new hardware if we face performanace issue.
Its a weekend R&D work for me, so I go slow here. with COVID19 situation, less cyber crime risk on site, less probability of law-enforcement auditing us.
Lens wrote
Hi there,
I am also currently looking for a new solution for my hotel to replace my outdated Zyxel N4100 system. Being in France we have more or less the same requirements to identify the guest users.
Mobile number or Username, Mac-Adress, IP-Adress, Connection-time, Destination-IP (not 100% sure but for phone calls you have to log the destination phone number so I guess same applies to Server-IP)
If you use the Username apporach (Voucher) you have to store the user identification form for one year (Name etc.) So yes there is quite a lot of data logging. I might dig out an old log later from my server once I am back home.
So currently your system would not meet the legal requirements in France and probably a few other countries in Europe too.
Maybe have a look at Zyxel as they have it right from the legal approach in Europe, eventhough their hardware is outdated (UAG4100) thats why I thought that your system might just be the right thing.
Best regards Lens
- Copy Link
- Report Inappropriate Content
Thanks for the information. Good to see that there is a table with the phone numbers and the MAC-addresses. Will this be written to a syslog Server or just stored in the device for one year? For the connection log I had the same idea as you using either Sophos or pfsense to log the connections of the guest VLAN and write them to a syslog:
Mac-Address : Local-Ip from DHCP Server : Time Stamp : Port : Destination-Ip
but I am not sure if that is so easy. But at least with these informations it would be save to use as apublic hotspot.
- Copy Link
- Report Inappropriate Content
the problem I see with legal requirements in India or France is that they violate the laws in other countries. For example, if TP-Link would add personal information to Omada controller as per your request, the Omada Controller could not be used anymore in countries which have strong data protection laws such as Germany.
In Germany it's strictly forbidden to record any personal data such as the MAC address or IMEI number for an unspecified time if it is not used for billing purposes or to fulfill contracts. According to a ruling of the german highest court, MAC addresses are personal data. For technical reasons, a MAC address can be stored for a very short time only, e.g. for 7 days, to be able to mitigate against DDoS or other attacks. But after a week it must be (physically!) deleted.
What's more, ISPs are not deputies to law enforcement. In Germany, it is not even permitted to carry out investigative activities yourself, as this is a sovereign task that only the authorities are allowed to perform (violations are punishable by law, too).
Authorities in Germany can neither request to store records of login sessions on a public hotspot nor request them from the hotspot provider, only judges can order to store specific information about suspects in the future (but also not request any data from the past!).
The only solution I see to fulfill contradicting laws in different countries is to create an own hotspot portal (like our company did for Germany). The laws in different countries are just too specific to the country, which makes it extremly difficult to offer a turn-key solution for all.
APRC-P3-Tel, the name for an Android smartphone is the hostname Android sends to Omada controller as the WiFi hostname. Omada controller does just display what it gets from the client device (if it gets any name at all, otherwise it will show »Unknown« if the received WiFi hostname is empty).
- Copy Link
- Report Inappropriate Content
@Lens: As per what I have seen this table is stored on the device only (likely in Mongo DB). Defintely not logged or sent in syslog. Its persistent and is retained if controller moved to another device also. Didn't see any table backup/snapshot (.csv) feature either. I think the whole idea of being able to track a device from its internet access, needs work at system level.
My personal opinion is that the it should be implemented in the firewall only as the firewall has most of the *relevant information, other than the Mac-ID to Mobile No. mapping. Maybe Tp-link should expose a programmtic interface (say using REST API) to pull out the Mobile no. from the Mac-ID that is maintained in the Hostpot manger -> Guest table. basically I prefer to have a co-located or standalone app server for forsenics of this sort.
Lens wrote
Thanks for the information. Good to see that there is a table with the phone numbers and the MAC-addresses. Will this be written to a syslog Server or just stored in the device for one year? For the connection log I had the same idea as you using either Sophos or pfsense to log the connections of the guest VLAN and write them to a syslog:
Mac-Address : Local-Ip from DHCP Server : Time Stamp : Port : Destination-Ip
but I am not sure if that is so easy. But at least with these informations it would be save to use as apublic hotspot.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 7585
Replies: 20
Voters 0
No one has voted for it yet.