Omada EAP Controller Linux

Omada EAP Controller Linux
Omada EAP Controller Linux
2018-06-16 03:15:10
Model :

Hardware Version :

Firmware Version :

ISP :

Does anybody have any ideas or possibly a solution to running the EAP Controller on startup/reboot of a linux box? I'm running it currently on a Debian 9 Intel NUC right now, but I have to manually start it up with sudo privileges. I noticed that with windows, it's possible to run it as a service but I haven't been able to find any way to do the same on a linux kernel.
0
0
#1
Options
5 Reply
Re:Omada EAP Controller Linux
2018-06-16 06:41:28
Do not run the original Controller as root on a public server. Instead use the community version to run it with privilege separation (and yes, it will start after reboot if enabled as a service, while in the official release there is a long-standing bug preventing that).

See this post for latest version of EAP Controller v2.6.1 for Linux: https://forum.tp-link.com/showthread.php?106969-Omada-EAP-controller-for-Linux&p=240551&viewfull=1#post240551
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#2
Options
Re:Omada EAP Controller Linux
2018-06-17 06:03:54

R1D2 wrote

Do not run the original Controller as root on a public server. Instead use the community version to run it with privilege separation (and yes, it will start after reboot if enabled as a service, while in the official release there is a long-standing bug preventing that).

See this post for latest version of EAP Controller v2.6.1 for Linux: https://forum.tp-link.com/showthread.php?106969-Omada-EAP-controller-for-Linux&p=240551&viewfull=1#post240551


I'm not running it as root, however I am running it as a privileged user with admin rights added to the sudo list. The version I'm running is 2.5.3. How do I run it as a service in linux and did you say there is a bug in version 2.5.3 with it loading on system start?

BTW, it's not a public server. It's sitting behind a router on a private network not serving except for the EAP controller. I also created an ACL policy rule to not allow any secondary SSIDs access to the entire subnet it resides on. Mainly for the guest network.
0
0
#3
Options
Re:Omada EAP Controller Linux
2018-06-17 09:42:03

ray816 wrote

I'm not running it as root, however I am running it as a privileged user with admin rights added to the sudo list.


If you grant the user administrative rights, the process runs with those rights, no matter wether you start it as root or using sudo.

The version I'm running is 2.5.3. How do I run it as a service in linux and did you say there is a bug in version 2.5.3 with it loading on system start?


You need to create the missing symlinks from start/stop script names in /etc/rc2.d/Sxxtpeap or /etc/rc3.d/Sxxtpeap to /etc/init.d/tpeap. Search the inux docs for how to do this if you insist on using the original script, which is not installing those symlinks.


BTW, it's not a public server. It's sitting behind a router on a private network not serving except for the EAP controller. I also created an ACL policy rule to not allow any secondary SSIDs access to the entire subnet it resides on. Mainly for the guest network.


If you want to use portal pages in the guest network, you need to grant access to the system running EAPC also for guest users (at least to TCP port 8043).

But if you prefer to run v2.5.3, you can do so.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#4
Options
Re:Omada EAP Controller Linux
2018-06-18 10:08:53

R1D2 wrote

If you grant the user administrative rights, the process runs with those rights, no matter wether you start it as root or using sudo.


I installed it per the instructions provided in the EAP Controller PDF as it indicated to use sudo. After doing so, I didn't set the permissions for users to execute the tpeap start/stop script. I left it as is after the installation. There are no other users on the workstation and the workstation won't have access to the internet except when I am ready to do updates. Forgive me, i'm not that well versed in Linux except for my years of experience in working with Raspberry Pi's. Should I be doing this differently in my setup. Can you give me a good reason why it's not a good idea to run it as a sudo user?

If you want to use portal pages in the guest network, you need to grant access to the system running EAPC also for guest users (at least to TCP port 8043).


Thank you for pointing that out. I will have to remember this if I decide to reconfigure the guest network to use portal authentification. At the moment I'm only using a WPA2/AES password for guests.

But if you prefer to run v2.5.3, you can do so.


I don't have to run v2.5.3 from the TPLink website, I just wanted to try it out and see how it runs on the workstation with Linux. This unit is only for a household and not a business.
0
0
#5
Options
Re:Omada EAP Controller Linux
2018-06-19 08:45:02

ray816 wrote

Should I be doing this differently in my setup. Can you give me a good reason why it's not a good idea to run it as a sudo user?


Short version: because no web service should be running with administrative rights (Linux is not Windows).

Long version: because v2.5.3 for Linux has lot of security-related bugs openly discussed already (see
CVE-2018-10164 , CVE-2018-10165 , CVE-2018-10166 , CVE-2018-10167 and especially CVE-2018-10168 ). Wether those pose a risk depends on usage pattern of your WiFi network. But if you are not using the EAPs for business, your network security probably won't be affected at all.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#6
Options