Bug/Vulnerability on EAP225-Outdoor + Omada Controller + Voucher Authentication
EAP225-Outdoor has a serious bug/vulnerability when it's managed by Omada Controller.
Vulnerability is striggered by Omada Controller is offline, or when OC200 is offline.
Normally, when both are online, EAP and Omada Controller(PC/OC200), with voucher authentication enabled, users are able to connect to the Wifi Network without a password, from there, a portal is opened, and unless the user enter's a valid Voucher Code, user won't be able to use the internet. User will only be connected to the Wifi Network but can't use the internet.
The problem occurs when Omada Controller is offline.
When a user connects to EAP which is managed by Omada Controller, and the Omanda Controller is offline, of course, portal will not run and doesn't show the user to enter a Voucher Code. It instead show the user this:
And checking on "I accept the Terms of Use" then click login, user are then able to get this:
Portal Login Success!
And is now able to connect to the internet. User doesn't need a valid voucher code to use the internet. And user is connected to the network permanently.
Now, when I run the controller, or in my case, OC200, it shows that the user is connected to the network as guest (KWL-GL503VD)t:
But if I check in Insight > Past Guest Authentication, the device's MAC Address is not there, as it didn't authenticate the normal way, via voucher. No voucher was used to successfully connect to the network. I also checked the "Log", connection/authentication is also not recorded, since user connects to the network, and successfully logged in to the portal while Omada Controller is offline.
As a temporary solution to avoid this vulnerability, the Omanda Controller (PC/OC200) must be turned ON first, and get connected to the internet (OC200) before turning on the EAP. Though, it takes time for the Omada Controller to sync with EAP, it's still much better than turning them ON at the same time, making the EAP vulnerable for a about 2 minutes, before OC200 gets connected to the internet and synced with EAP.
Still, this should be fixed ASAP. When an EAP is managed by Omada Controller, this login screen
should not be displayed, when the Omada Controller is not detected. Through this, other users will be able to use your network and connect to the internet without the controller's portal.
Update:
I tried to Unautorize the device, but it can't be unauthorized as it gives an error: Authorization iniformation does not exist. So this device is now permanently connected to the network and can't be unauthorized.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@forrest Hi! I already saw the firmware upgrade but haven't tested yet. Just wanna say thank you for hearing us out and for keeping in touch. Keep it up!
- Copy Link
- Report Inappropriate Content
@mgmamac still the same, problem not solved.
- Copy Link
- Report Inappropriate Content
Thank you for your test.
This firmware doesn't fix this bug (tha's why we didn't note it in the release note of this frimware.)
The firmware which fixs this bug has finished now and we are testing it, we should release the new firmware in the following days.
- Copy Link
- Report Inappropriate Content
@forrest when will it be fixed?
- Copy Link
- Report Inappropriate Content
All workers will have a 7-day holiday because of the Spring Festival in China, we will release the firmware after the holiday. It should be February.
When we release it, we will tell you on the forum.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
same problem with mine, hope it will be fix soon.
eap110 v3
firmware: 3.4.0 Build 20191014 Rel. 37397
- Copy Link
- Report Inappropriate Content
Wow its been 2 months since i visited the forum and this bug is also present in EAP110-outdoor. This BUG happens when the EAP got rebooted or restarted and start before the OC200. I got both EAP225-outdoor and EAP110-outdoor. The EAP225-outdoor got fixed with latest firm ware and I haven't encountered it in my EAP110 maybe because I'm using POE router of ubnt and plug my OC200 with a mobile charger (ubnt can't power my OC200 with the ubnt because it needs IEEE 802.3af). With this whenever I got power interuption (and it happens alot-thats why I encountered the BUG) or my setup got rebooted, OC200 will start up faster than the POE router which after 1-2mins will power and start the EAPs.
I know forrest team is fixing the bug and with the nCov virus (I've back read about the Chinese new year and TPLink a taiwan company so I presume they are having hard time there) so while we wait here are some suggestions:
1. Like back with the EAP225-outdoor BUG we got a temporary fix last time by downgrading the firmware of EAP225-outdoor, as I've search the update of firmware of EAP110-outdoor v3, I found the oldest firmware of EAP110-Outdoor(US)_V3_3.2.0 Build 20181113 that was published 2018 - 12 - 11. try downgrading from there or if there is a much older firmware and test if the problem is fixed and as a temporarily measure then try upgrading it until you find the firmware that started it.
2. Use a UPS for the router/switch and OC200/server so that it won't go down or disconnect with the EAP because of power interruption. And always start the OC200/server than the EAPs so that they can connect to the OC200/server than going stand alone.
This are only some suggestions and it might not work depending on different circumstances, etc. And forrest team or the TPLINK team are the only ones that can properly fix it at the moment. :)
- Copy Link
- Report Inappropriate Content
We have finished this firmware, but we need some time to test it in our lab.
Now there is a serious flu in our country, we are not allowed to the office these days. When we are back to the office, we will test the firmware as soon as possible.
- Copy Link
- Report Inappropriate Content
@forrest just want to ask if there is a sales monitoring in omada controller, coz i want to monitor how many vouchers have i released and if it also tallies to my earnings
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 11497
Replies: 30
Voters 0
No one has voted for it yet.