Omada SDN 4.1.5 and External Portal is a pain
Sorry, but the informations on https://www.tp-link.com/us/support/faq/2907/ are simply crap.
This cannot work, because the examples are written for the older omada controllers.
Also the hint to use /api/v2/hotspot/extPortal/auth?token=blabla doesnt make things better, because if you send your clientMac=BL-AH-ST-UF-F0&site=bla... stuff, as described in the above document, you will get an "-1" error, telling you just "general error" (and yes, my json curl stuff is working fine...)
If you use the V2-Api to login without hotspot operator stuff, using /api/v2/login NOT /api/v2/hotspot/login and you send a post to /api/v2/sites/SITE-ID/cmd/clients/CLIENT-MAC/auth?token=bla... your device is authorized and your access to the net is gained. Problem with this method is, that you cannot set an expiry timer. Therefore you need /api/v2/hotspot/extPoertal/auth?token=bla.... which leeds to this creepy "general error".
I figured out some interesting things by myself, how to control the clients using the new V2-API, but I cannot find a way to make things work, using /api/v2/hotspot stuff for external portal site and there arent any documents right now, which leads you to the right direction.
So, how can I get my portals back into a working state, after upgrading to 4.1.5. Please, TP-Link guys, release some documents on how to use this api CORRECTLY and you'd better delete the above document, cause it's totally wrong.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Dear @0llli,
Sorry to hear that you have trouble with External Portal Server based on the FAQ2907.
I've forwarded this to the senior engineer who will review and evaluate the example guidance again, if there is anything wrong, we'll modify and update the FAQ2907 soon. In addition, could you please reply with the server log for further analysis?
- Copy Link
- Report Inappropriate Content
@Fae thanks for your reply and forward.
There is nothing of interest in the log and login tries doesn't generate a log entry. There is only one line, repeating every few minutes:
2020-09-21 11:49:47 [client-history-provider-0] [INFO]-[SourceFile:74] - Need override old client history for client XX-XX-XX-XX-XX-XX with lastSeen 1600685377254
I will show you, what works:
1.) POST as application/json: {"username":"operator","password","blablabla"} to /login and you will get the token
2.) POST empty: /sites/aBcDeFg/cmd/clients/AA-BB-CC-DD-EE-FF/auth?token=TOKEN-RETRIEVED-BY-LOGIN
This works for local omada user operator on site aBcDeFg and results in an authorized client, listed as authorized by "Administrator - control" in Hotspot panel. But there is no way to manipulate the expiry time, which let clients bypass expiration limitations. But therefore you can set up and download limits, with optional:
PATCH as application/json: {"rateLimit":{"enable":"true","downEnable":"true","downLimit":20,"downUnit":2,"upEnable":"true","upLimit",5,"upUnit":2}} to /sites/aBcDeFg/clients/AA-BB-CC-DD-EE-FF?token=TOKEN-RETRIEVED-BY-LOGIN
But this is not temporary for the session, it is persistent, so you must reset this later, if you want to remove limits.
What doesn't work and that is, what FAQ says (also see differnce between username for portal login and name for hotspot login and remember that this login is not for local users, they must be created at /hotspot/login before):
1.) POST as application/json: {"name":"operator","password":"blablabla"} to /hotspot/login THIS WORKS and gives you the token
2.) POST as application/json: {"clientMac":"AA-BB-CC-DD-EE-FF","apMac":"FF-AA-FF-AA-FF-AA","ssidName":"HottestSpot","t":"1600685371953","radioId":1,"site":"aBcDeFg","time":3600} to /hotspot/extPortal/auth?token=TOKEN-RETRIEVED-BY-HOTSPOT-LOGIN
The last step doesn't work and leds to error -1 "general error" OR (and thats wierd) an empty response.
I also tried /hotspot/auth, /hotspot/sites/aBcDeFg/auth, /hotspot/sites/aBcDeFg/cmd/clients/AA-BB-CC-DD-EE-FF/auth and some other combinations. Some led to "unsupported request path", while the 3 auth requests listed before led to an empty response or "general error".
I can ack clients using the portal API, but this is not the way, how it should work and also there are no expire limitations.
Can you give me a list of all API urls and methods ands fields to use with? This is much easier than non working examples.
Also I will finalize a general PHP API Class on Github, which everybody can use to control the SDN via PHP later.
- Copy Link
- Report Inappropriate Content
Okay, finally got it to work.
In the next few days, I will get my Omada SDN controller class to a usable state and will publish the sources on Github.
For those, who have the same problem, in 4.1.5 there are some significant changes in request handling.
First, I had to send clientMac, apMac, ssidName, t, radioId, authType, site, and time, as authType seems to be a new required field (like vid and gatewayMac).
Now /api/v2/extPortal/hotspot/auth?token=blablabla is accepting the json fields above, sent as post request and gives you an OK.
But, beware! After the authorization, the client gets expired immediately. This is because of some calculation changes. After your client visits the portal entry page, the timestamp TIME is given as epoch since 1970.... (unix timestamp). But now, it expects a multiple of the timestamp (multiplied with 1000). Also the field t (expiration time in seconds) now wants to have a multiply with 1000. So 1 hour is not 3600 seconds, but 3600000. Remember this, when things go crazy ;-)
Also I found out, that /auth supports data sent in json, but only if you send it to the unencrypted (YES, DONT KNOW WHY) http port 8080. If you send the same request to 8043 (ssl port by default), it results in an error -1.
Also there is way to encrypt the data, which is pretty nice. Therefore you have to send a get request to /portal/pubKey, which will lead into a generated 1024 Bit public key as a result. The controller holds the corresponding private key in memory and believe me, it is NOT STORED IN JAVA KEYSTORE database, it only exists in RAM (searched for this for hours *crap*).
For the encryption to work, you need to generate a 16 byte IV and a 16 byte key. For both, use letters and numbers, because strange UTF8 behavior in JAVA with special chars and binary stuff (e.g. if you work with PHP). Use openssl_encrypt with your generated Key and IV and encrypt your json auth string. Cipher settings are: AES-256-ECB with PKCS1 padding, not OAEP! Then, concat Key + IV and use openssl_public_encrypt and the retrieved public key to generate an urlencoded base64 string, which you use as query with the name "key". Now send your encrypted json as post payload and without an identifier to /auth/?key=abcefghblabla and you should get your authorization. If things dont work as expected, check for correct UTF8 conversion, first.
Same thing seems to work for /hotspot/auth, but remember to use the token and key queries together.
If you authorize a client with /auth, there is no need to login and also works for an extPortal. Side effect is, that you can use the authType for internal voucher and sms login stuff, without logging in as an operator or administrator. Due to missing documentation I had to do some research, sorry TP-Link guys, but now I know, what you did last summer ;-)
I hope to get this PHP interface class working as soon as possible, which can be used to control the controller ;-) and let you realize some really cool portal stuff. SDN Software concept is well done by TP-Link, but docs are still a pain.... developers (like me) are all the same :D
- Copy Link
- Report Inappropriate Content
@0llli Wow, great job man! I am facing the same issue, may I know what is the value for authType ?
- Copy Link
- Report Inappropriate Content
Here are the authType values:
0 = no authentication (if someone clicked your "LOGIN" button without the need of credentials)
1 = simple password
2 = SMS (you need to configure the SMS provider settings and trigger the sms send function)
3 = Authentication by radius server (has to be configured first)
4 = see 3
5 = Authenticate as local user
6 = Voucher (see /hotspot/login and Voucher to generate some)
7 = Facebook (Auth is done by FB redirect)
All other values will lead to an error.
Here is the working code from my alpha-staged php class. Hope that makes things easier to understand:
public function hotspot_authorize($encrypted = false)
{
$auth = new \stdClass;
$auth->clientMac = $this->client->mac;
$auth->apMac = $this->client->ap->mac;
$auth->ssidName = $this->client->ap->radio->ssid;
$auth->t = ($this->client->time->since_epoch * 1000);
$auth->radioId = $this->client->ap->radio->id;
$auth->gatewayMac = "";
$auth->vid = "";
$auth->authType = 0;
$auth->site = $this->client->ap->site;
$auth->time = ($this->client->time->expire * 1000);
$auth->clientIp = $this->client->ip_address;
$auth->originUrl = $this->client->redirect_url;
$encrypted_auth = $this->encrypt(json_encode($auth));
if ($encrypted)
$res = $this->api_send("/hotspot/extPortal/auth?token=".$this->csrf_token."&key=".$this->encryption->data_key->encrypted, $encrypted_auth);
else
$res = $this->api_send("/hotspot/extPortal/auth?token=".$this->csrf_token, $auth, "application/json");
if (($res) && ($this->data->length > 0))
{
if ($this->data->json->errorCode == 0)
{
$this->client->authorized = true;
$this->client->time->authorized = time();
return true;
}
}
return false;
}
Will publish the working beta soon.
- Copy Link
- Report Inappropriate Content
@0llli Congratulations for taming this beast.
Will this work on the software controller as well? I don't understand much of HTML/PHP/JS or JSON code, but is there something simple / copy paste code with some changes to the text and image files and color scheme that can then be used as external portal? I know a bit of Linux, so I can follow directions.
Thanks and keep doing good work.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 2
Views: 3280
Replies: 6