@forrest : Thanks, all queries are answered. Two followups queries:

(1) Any plans by TpLink to increase the maximum authentication timeout limit beyond 30 days ? Say 90, 180, 365 days. The idea is we just don't want to redo the authentication frequently as we just neded to have the map of (Mobile, Mac-ID, IP, Date, time) in the logs once and then use other logs to investigate any activities. 

(2) In OC200 controller settings, their is an tabbed pane named "Auto backup". Can that be used to automatically backup these "authentication (or all) logs" to Thumb drive, apart from settings, statistics etc ?

Also why would it need the controller to be powered by PoE to do autobackup on connected USB flash drive as the tooltip seems to suggest ? Can this feature of autobackup not be used if OC200 is powered by a 5V Micro USB charger ? How about backup on a network drive share (CIFS/Samba) ?

@APRC-P3-Tel 

(1) Any plans by TpLink to increase the maximum authentication timeout limit beyond 30 days ?

30-day is enough for most application scenarios, therefore, we have no plan to expand the authentication time for now.

(2) In OC200 controller settings, their is an tabbed pane named "Auto backup". Can that be used to automatically backup these "authentication (or all) logs" to Thumb drive, apart from settings, statistics etc ?

The log will not be backuped, now we can only choose to backup the settings and data. 

@forrest : The current implementation of authentication log for SMS authentication does not entirely help us with meeting the real uintention of the Public Wifi regulations in india. Here is what is the sample log that we got:

1 2020-01-01T08:37:02.120Z - Omada Controller - - android-a41f514eb53187a0 authenticated with SMS to SSID "APRC-P3 Visitor" on T4-Vehicle-Exit-Gate(E-Block)

In the above "android-a41f514eb53187a0"is the android host or the device that got authenticated. This log information does not carry the Mobile No., Mac-Address of the device  We have the following issue

(1) If we look at Omada log, we get a hostname, which the user himself cannot see anywhere on android "system" application.

(2) We looked up this device on "insight' tab of omada, by its hostname, and we could get its Mac-Address.

(3) To get Private Local IP-Address, corresponding to the Mac,  we could get the Map from DHCP /ARP log of router [this happens before authentication]

(4) If we go to Twilio dashboard, we can see mobile nos., to which messages were sent at that time (maybe more than 1, but no other info such as device host, mac, private IP, etc)

Therefore the problem is if the policeman come asking for a copy of all log records if a cyber crime is committed using our network, we can give him but he would not be able to create the Map of (Mac-Address, IP Address, Mobile No.) on that that day to do any further investigation and zero down on any suspects.  Similarly if mobile faces an authentication timeout, atleast a log with Mac address of mobile device should be written.

It would be of great help if the Omada application can output in the authentication log, give some information such as Mac-Address, Mobile No [IP & OTP not required]. This is a *transaction state information which only the Omada Hotspot server has. Not Twilio, not our Router. Can you guys support this in the next firmware upgrade ?

Also by using syslog server (FastVue), we could collect and we can store logs of all Omada and Router application in a central PC as suggested by  @R1D2. This is pretty useful for detective work if needed and we can also back it up fopr redendancy. 

Hi there,

I am also currently looking for a new solution for my hotel to replace my outdated Zyxel N4100 system. Being in France we have more or less the same requirements to identify the guest users.

Mobile number or Username, Mac-Adress, IP-Adress, Connection-time, Destination-IP (not 100% sure but for phone calls you have to log the destination phone number so I guess same applies to Server-IP)

If you use the Username apporach (Voucher) you have to store the user identification form for one year (Name etc.) So yes there is quite a lot of data logging.  I might dig out an old log later from my server once I am back home.

So currently your system would not meet the legal requirements in France and probably a few other countries in Europe too. 

Maybe have a look at Zyxel as they have it right from the legal approach in Europe, eventhough their hardware is outdated (UAG4100) thats why I thought that your system might just be the right thing. 

Best regards Lens

@Lens:

We have managed to implement SMS authentication of WiFI users with Omada Controller system and we are also making some progress with the law enforcement requirements

(1) While the Log still could be improved with additional information like Mac address atleast (an outstanding requirement for TpLink), we do have a map of Mac-Address and Mobile No laid out neatly in Sites --> Hostpot Manager --> Guest Tab (illustration below):

So from log, we get android host, From insight host to Mac mapping and then from the above table, we get Private IP addresses to build this relation. If we examine Router ARP and/or DHCP logs, the map of the Mac to the Private LAN IP can also be obtained. Its manual, multistep process but very much doable and since such forsenic analaysis requirement is not very common, I am now less concerned.

So on LAN side, this entire information tuple can be built (I wanted it in log itself for simplicity)

(Mobile No., Mac-Address, LAN Private IP-Address)

But law enforcment will come only with Destination IP, Destination Port, and WAN Public-IP address of Firewall Router Edge device and maybe ephemeral WAN port of Firewall Router). They don't have LAN side information because of NAT, Double NAT etc. 

So the next step is bridging the WAN side information with LAN side to get this tuple:

(WAN-Public-IP address, WAN ephemeral-Port, LAN Private IP-Address)

Am still working on this though. The mapping information is in Firewall state tables and I wanted a state table entry to be logged when created and deleted (timeout, purged, etc). generally consumer routers and entry level enterprise routers don't even show these, forget logging. I am trying to use pfSense, built it has too much logging and again does not seem to log this. They have Firewall state table dumps and it maybe possible to dump every N minutes and backup this information to aid in the search. But it may generate a lot of data, if not done well. I am keen to write my own pfSense-code/application/package to implement this rather than make a new data processing problem. 

(2) Tplink can store all information for 1 year in omada system (configurable item). So it meets our requirement. For the logs and other info storage we can give (its not very cheap)

(3) Tplink Omada uses Twilio. Twilio Bulk SMS rate is 5-6 times local SMS provider rates in India, but given that we make make suthentication timeout to 30 days, we are getting a daily usage of $1 in non-COVID19 lockdown situation in community and 5cents in the lockdown situation. So cost is no longer a concern, but a little usability could be improved if we can have 3/6/12 months as timeout value options. On the positive side, Twilio seems to be very very good, stable and reliable and this makes the whole auth system very easyt to implement, use and is very stable. I am very happy now with Twilio.

(4) UAG4100 will not meet our requirement. We wan't multi Gigabit speed, since we have 4 x 1 Gbps WAN connections (will shortly expand to 6), 4-6 LAN ports aggregated, VLAN support, multiple DHCP pools, and lot of other small features. pFsense seems to be 95% suitable (except the above law enforcement problem) and we can always buy new hardware if we face performanace issue.

Its a weekend R&D work for me, so I go slow here. with COVID19 situation, less cyber crime risk on site, less probability of law-enforcement auditing us.

Lens wrote

Hi there,

 

I am also currently looking for a new solution for my hotel to replace my outdated Zyxel N4100 system. Being in France we have more or less the same requirements to identify the guest users.

 

Mobile number or Username, Mac-Adress, IP-Adress, Connection-time, Destination-IP (not 100% sure but for phone calls you have to log the destination phone number so I guess same applies to Server-IP)

 

If you use the Username apporach (Voucher) you have to store the user identification form for one year (Name etc.) So yes there is quite a lot of data logging.  I might dig out an old log later from my server once I am back home.

 

So currently your system would not meet the legal requirements in France and probably a few other countries in Europe too. 

 

Maybe have a look at Zyxel as they have it right from the legal approach in Europe, eventhough their hardware is outdated (UAG4100) thats why I thought that your system might just be the right thing. 

 

Best regards Lens

@APRC-P3-Tel 

Thanks for the information. Good to see that there is a table with the phone numbers and the MAC-addresses. Will this be written to a syslog Server or just stored in the device for one year? For the connection log I had the same idea as you using either Sophos or pfsense to log the connections of the guest VLAN and write them to a syslog:

Mac-Address : Local-Ip from DHCP Server : Time Stamp : Port : Destination-Ip

but I am not sure if that is so easy. But at least with these informations it would be save to use as apublic hotspot.

@Lens: As per what I have seen this table is stored on the device only (likely in Mongo DB). Defintely not logged or sent in syslog.  Its persistent and is retained if controller moved to another device also. Didn't see any table backup/snapshot (.csv) feature either. I think the whole idea of being able to track a device from its internet access, needs work at system level.

My personal opinion is that the it should be implemented in the firewall only as the firewall has most of the *relevant information, other than the Mac-ID to Mobile No. mapping. Maybe Tp-link should expose a programmtic interface (say using REST API) to pull out the Mobile no. from the Mac-ID that is maintained in the Hostpot manger -> Guest table. basically I prefer to have a co-located or standalone app server for forsenics of this sort.

Lens wrote

@APRC-P3-Tel 

 

Thanks for the information. Good to see that there is a table with the phone numbers and the MAC-addresses. Will this be written to a syslog Server or just stored in the device for one year? For the connection log I had the same idea as you using either Sophos or pfsense to log the connections of the guest VLAN and write them to a syslog:

 

Mac-Address : Local-Ip from DHCP Server : Time Stamp : Port : Destination-Ip

but I am not sure if that is so easy. But at least with these informations it would be save to use as apublic hotspot.