Bug/Vulnerability on EAP225-Outdoor + Omada Controller + Voucher Authentication
EAP225-Outdoor has a serious bug/vulnerability when it's managed by Omada Controller.
Vulnerability is striggered by Omada Controller is offline, or when OC200 is offline.
Normally, when both are online, EAP and Omada Controller(PC/OC200), with voucher authentication enabled, users are able to connect to the Wifi Network without a password, from there, a portal is opened, and unless the user enter's a valid Voucher Code, user won't be able to use the internet. User will only be connected to the Wifi Network but can't use the internet.
The problem occurs when Omada Controller is offline.
When a user connects to EAP which is managed by Omada Controller, and the Omanda Controller is offline, of course, portal will not run and doesn't show the user to enter a Voucher Code. It instead show the user this:
And checking on "I accept the Terms of Use" then click login, user are then able to get this:
Portal Login Success!
And is now able to connect to the internet. User doesn't need a valid voucher code to use the internet. And user is connected to the network permanently.
Now, when I run the controller, or in my case, OC200, it shows that the user is connected to the network as guest (KWL-GL503VD)t:
But if I check in Insight > Past Guest Authentication, the device's MAC Address is not there, as it didn't authenticate the normal way, via voucher. No voucher was used to successfully connect to the network. I also checked the "Log", connection/authentication is also not recorded, since user connects to the network, and successfully logged in to the portal while Omada Controller is offline.
As a temporary solution to avoid this vulnerability, the Omanda Controller (PC/OC200) must be turned ON first, and get connected to the internet (OC200) before turning on the EAP. Though, it takes time for the Omada Controller to sync with EAP, it's still much better than turning them ON at the same time, making the EAP vulnerable for a about 2 minutes, before OC200 gets connected to the internet and synced with EAP.
Still, this should be fixed ASAP. When an EAP is managed by Omada Controller, this login screen
should not be displayed, when the Omada Controller is not detected. Through this, other users will be able to use your network and connect to the internet without the controller's portal.
Update:
I tried to Unautorize the device, but it can't be unauthorized as it gives an error: Authorization iniformation does not exist. So this device is now permanently connected to the network and can't be unauthorized.