Struggling setting it up with TP Link Archer C50

[dunklesToast]

Hi!

Got the default Code from the Readme file to test this out. Set my TP Link Router to WPA/WPA2 - Enterprise mode. When I try to login the request is visible at the Tephra Server but does not carry a Password. I think thats because the Secret is wrong. Is there any Setting in the TP Link Router I need to change? All Settings here:

I can change the Auth Type to WPA, WPA2 and Auto and the Encryption to TKIP and AES.

Hope you can help me with this, tom

[skibz]

hi @dunklesToast, thanks for getting in touch!

the settings you have chosen seem fine to me. 👍

unfortunately i'm not familiar with the hardware you are using, but i'll do my best to help 😄 can you please paste a dump of the request you receive? something like this should do the trick:

server.on('Access-Request', function(packet) {
  console.log(JSON.stringify(packet.attributes))
})

[skibz]

i've had a look at the technical documentation for your router and the radius client doesn't appear to be mentioned in any way besides the form options you've shown above. which means we'll literally have to see the kinds of requests and responses it produces to figure out how it works.

[dunklesToast]

So here is the output. I just added the complete packet:

{ code: 'Access-Request',
  identifier: 1,
  length: 126,
  authenticator: <Buffer d6 a7 ee 8d d0 bb 99 2a a1 e6 5b 11 da e3 23 a2>,
  attributes: 
   { 'User-Name': 'tom',
     'NAS-IP-Address': '192.168.0.1',
     'NAS-Identifier': 'RalinkAP0',
     'NAS-Port': 0,
     'Called-Station-Id': '00-00-00-00-00-00',
     'Calling-Station-Id': '00-00-00-00-00-00',
     'Framed-MTU': 1400,
     'NAS-Port-Type': 'Wireless-802.11',
     'EAP-Message': <Buffer 02 01 00 08 01 74 6f 6d>,
     'Message-Authenticator': <Buffer 66 93 65 07 93 fc dd ce d5 7e 58 68 f6 68 be 86> },
  raw_attributes: 
   [ [ 1, <Buffer 74 6f 6d> ],
     [ 4, <Buffer c0 a8 00 01> ],
     [ 32, <Buffer 52 61 6c 69 6e 6b 41 50 30> ],
     [ 5, <Buffer 00 00 00 00> ],
     [ 30,
       <Buffer 37 30 2d 34 46 2d 35 37 2d 38 30 2d 46 44 2d 42 31> ],
     [ 31,
       <Buffer 44 30 2d 43 35 2d 46 33 2d 38 31 2d 38 41 2d 43 38> ],
     [ 12, <Buffer 00 00 05 78> ],
     [ 61, <Buffer 00 00 00 13> ],
     [ 79, <Buffer 02 01 00 08 01 74 6f 6d> ],
     [ 80, <Buffer 66 93 65 07 93 fc dd ce d5 7e 58 68 f6 68 be 86> ] ] }

I hope I am not leaking anything :D Password I entered was test. When I used the "original" radius module I got an error like "Invalid Secret" but it is the same on the Router and the Serverside

tom

EDIT BY @skibz : redacted mac addresses

[skibz]

so i checked the freeradius project's list of vendor dictionaries and there is no tp-link dictionary listed, which probably means that your router is sending every attribute it knows to the tephra server.

this could mean two things:

1. it's normal for your router to send no password, meaning you have to authenticate users with their mac addresses
2. there is an undocumented way to cause the router to send a password that was specified by the user when they authenticated with the wireless access point

determining whether number 2 is a reality could be very difficult. so i propose you try the following:

var server = new tephra(/* etc */)

// store mac addresses of devices you want to allow here
var whitelist = [
  '00-00-00-00-00-00'
]

server.on('Access-Request', function(packet, rinfo, accept, reject) {
  var user_is_allowed = whitelist.indexOf(packet.attributes['Calling-Station-Id']) !== -1
  if (user_is_allowed) return accept([], [], console.log)
  reject([], [], console.log)
}).on('Accounting-Request', function(packet, rinfo, respond) {
  respond([], [], console.log)
})
server.bind()

if the above code results in your wireless device being allowed access to the network, then everything works as expected! 😄

unfortunately, this authentication mechanism is vulnerable to mac spoofing. so if somebody managed to learn your device mac addresses, they'd be able to successfully authenticate. my recommendation is to contact your router vendor's support team to find out if there are any undocumented radius client features for your router model. with a little bit of luck, they might be able to show you how to cause your router to pass along a user-specified password.

EDIT: how did you manage to send a User-Name of tom in your access-request packet?

[dunklesToast]

Well, the Code does not work -.- The User-Name was the Name i entered on my iPhone when I wanted to connect.

tom

[skibz]

closing this due to inactivity please reopen if you have any more information to share regarding the issue