Bug/Vulnerability on EAP225-Outdoor + Omada Controller + Voucher Authentication
EAP225-Outdoor has a serious bug/vulnerability when it's managed by Omada Controller.
Vulnerability is striggered by Omada Controller is offline, or when OC200 is offline.
Normally, when both are online, EAP and Omada Controller(PC/OC200), with voucher authentication enabled, users are able to connect to the Wifi Network without a password, from there, a portal is opened, and unless the user enter's a valid Voucher Code, user won't be able to use the internet. User will only be connected to the Wifi Network but can't use the internet.
The problem occurs when Omada Controller is offline.
When a user connects to EAP which is managed by Omada Controller, and the Omanda Controller is offline, of course, portal will not run and doesn't show the user to enter a Voucher Code. It instead show the user this:
And checking on "I accept the Terms of Use" then click login, user are then able to get this:
Portal Login Success!
And is now able to connect to the internet. User doesn't need a valid voucher code to use the internet. And user is connected to the network permanently.
Now, when I run the controller, or in my case, OC200, it shows that the user is connected to the network as guest (KWL-GL503VD)t:
But if I check in Insight > Past Guest Authentication, the device's MAC Address is not there, as it didn't authenticate the normal way, via voucher. No voucher was used to successfully connect to the network. I also checked the "Log", connection/authentication is also not recorded, since user connects to the network, and successfully logged in to the portal while Omada Controller is offline.
As a temporary solution to avoid this vulnerability, the Omanda Controller (PC/OC200) must be turned ON first, and get connected to the internet (OC200) before turning on the EAP. Though, it takes time for the Omada Controller to sync with EAP, it's still much better than turning them ON at the same time, making the EAP vulnerable for a about 2 minutes, before OC200 gets connected to the internet and synced with EAP.
Still, this should be fixed ASAP. When an EAP is managed by Omada Controller, this login screen
should not be displayed, when the Omada Controller is not detected. Through this, other users will be able to use your network and connect to the internet without the controller's portal.
Update:
I tried to Unautorize the device, but it can't be unauthorized as it gives an error: Authorization iniformation does not exist. So this device is now permanently connected to the network and can't be unauthorized.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi! I would like to bump this thread to report that this issue also exists in EAP110-Outdoor. I hope we'll also have a firmware upgrade for this. Thanks!
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@forrest There's still bug on EAP110-Outdoor. Same with this problem.
Model:
EAP110-Outdoor(EU) |
|
Firmware Version:
3.3.0 Build 20190301 Rel. 37118 |
Hardware Version:
3.0
- Copy Link
- Report Inappropriate Content
For EAP225 V3.0, EAP245 V3.0, EAP225-Outdoor, EAP225-Wall, we have released new firmwares and fixed the bug.
For EAP110-Outdoor, we are still making the firmware, it still needs some time. When we finish it, we will upload it to TP-Link offical website.
- Copy Link
- Report Inappropriate Content
Good Day,
Is the new firmware for the EAP110-Outdoor available already?
Any temporary solution for this bug?
Thanks
forrest wrote
For EAP225 V3.0, EAP245 V3.0, EAP225-Outdoor, EAP225-Wall, we have released new firmwares and fixed the bug.
For EAP110-Outdoor, we are still making the firmware, it still needs some time. When we finish it, we will upload it to TP-Link offical website.
- Copy Link
- Report Inappropriate Content
@Thucydides The firmware is finished and we are testing it, if everything goes well, we will release it in the following few days.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@akodako For the EAP110, the firmware will be released in the next following days.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@akodako Now the issue has been fixed on the EAP225 v3.0, EAP245 v3.0 and EAP225-Outdoor, EAP225-Wall. For the EAP110 series, the firmware will be released soon.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 11400
Replies: 30
Voters 0
No one has voted for it yet.