Portal Authenticated Clients remain working after authentication timeout with status of pending

Portal Authenticated Clients remain working after authentication timeout with status of pending
Portal Authenticated Clients remain working after authentication timeout with status of pending
2020-10-04 22:32:34 - last edited 2020-10-05 16:56:37
Model: EAP225
Hardware Version: V3
Firmware Version: 2.20.1

Hello All,

 

I tested with built-in portal with no authentication (just terms acceptance), and set authentication timeout of 30 minutes (custom). I was expecting that after 30 minutes, device will get a login splash page again. I do find that client table then shows those clients still attached but pending (which could be because they remain attached to WiFi) but they don't get any new login page, but still keep surfing. I then turned WiFi off on a test device (an apple device). And then connected it back after 45 minutes and it connected without any login page. I could surf the internet, but client table on SDN controller shows status as pending and with usage incrementing.

 

If I, at this time, turn https redirection off, the device gets the login page. And then become authorized on login. I then wait for another hour with WiFi turned off on it, and tried again, and again it connects fine with pending status. And then I go back to portal settings and turn the https redirection back on and again it gets the login page. Likely this setting change causes purging some client database and then controller finds that this is a new device.

 

This seeming bug will take months for Tplink to fix, I assume (unless this is resolved in upcoming new release), in the meantime, is there a way to schedule auto clearing the clients in the database every night, so that if the same client comes back next day, it will get the login page again? My  application is very simple. It is Guest Wi-Fi, and they are only allowed like 30 minutes per session, but I am afraid that somehow portal code remembers or caches the authorized devices and does not clear this cache after the configured authentication timeout.

 

@R1D2  and @Fae, your expertize is needed here please.

 

Thanks

0
0
#1
Options
1 Accepted Solution
Re:Portal Authenticated Clients remain working after authentication timeout with status of pending-Solution
2020-10-05 16:56:32 - last edited 2020-10-05 16:56:37

 

 

Finally seems like it is resolved if I delete the portal configuration and then reboot the controller and configure it again and I dont see these issues again. Hopefully such issues will be resolved in upcoming upgrade to the controller.

Recommended Solution
0
0
#3
Options
5 Reply
Re:Portal Authenticated Clients remain working after authentication timeout with status of pending
2020-10-04 23:19:49

 

 

Further to my post above, I do find that if I do a reboot to the AP, then clients get login page and thus can transition to the authorized state. So it is possible that AP firmware is buggy. I have the last available one on the APs, so I can try with a better one. And I cannot downgrade as 4.15 requires this latest firmware for the AP to join it.

 

I do see EAp245v3 has same version firmware but released two months later than EAP225v3. I can schedule rebooting of the APs every day at night, but that is not the fix I am really looking for, until I am told that the upcoming firmware will have it fixed.

0
0
#2
Options
Re:Portal Authenticated Clients remain working after authentication timeout with status of pending-Solution
2020-10-05 16:56:32 - last edited 2020-10-05 16:56:37

 

 

Finally seems like it is resolved if I delete the portal configuration and then reboot the controller and configure it again and I dont see these issues again. Hopefully such issues will be resolved in upcoming upgrade to the controller.

Recommended Solution
0
0
#3
Options
Re:Portal Authenticated Clients remain working after authentication timeout with status of pending
2020-10-05 18:00:37 - last edited 2020-10-05 18:01:53

@dpsguard, I'm not sure how »Authentication Timeout« alone is supposed to work.

 

According to the manual, you need to set »Daily Limit« to force the client having to wait until next day before he can authenticate again. If »Daily Limit« is unchecked, the client is able to just authenticate again and again after the previous auth session has expired according to the setting in »Authentication Timeout«. In my opinion, it makes not much sense for »No authentication« to set an »Authentication Timeout« while not enabling »Daily Limit« at the same time.

 

A »Pending« client means that the client has not passed the portal authentication and is not connected to the internet, but is (still or again) associated with the WLAN.

 

Maybe @Fae can enlighten us, but currently in China the people is celebrating National Day, so we need to be patient.

 

As I wrote in context with other options already I would suggest to add some configuration examples to the Omada Controller User Guide, which, for example, could describe scenarios where an option like »Authentication Timeout« makes sense to achieve what behavior. I just have no idea what is the goal to expire a »No Authentication« session if the client can authenticate again and again without a limit such as »Daily Limit«.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#4
Options
Re:Portal Authenticated Clients remain working after authentication timeout with status of pending
2020-10-05 18:10:45

@R1D2  thanks for chiming in. The typical use case could be a place where you come in once in a while to do some quick business ( say a bank). When you leave after say 10 minutes to go to your car to pick up something and then come back, you connect back without any splash page. And then you are done in another 5 minutes and after total of 30 minutes form the start, client table has purged your device. But then you are allowed to come back to the same bank in the afternoon or for that matter 3 times in the day. So np reason to have daily limit in such cases. The hotspot will generally have a PSK plus no authentication on the portal itself (only accept terms) and that way only customers who have come inside bank and know the password written inside somewhere and not visible from outside to anyone just trying to get free Wi-Fi service.

 

daily limit will I believe only allow a total session timeout, but I tested my scenario with 5 minutes timeout and it works and you get a login page again after 5 minutes and you are purged out after 5 minutes. within 5 minutes, i turned device off and on and then it connects back without login page. So it works for me in the simple scenario I have.

0
0
#5
Options
Re:Portal Authenticated Clients remain working after authentication timeout with status of pending
2022-02-15 16:25:50

  @dpsguard I have the same problem. I'm running the Omada Controller 4.4.6 The user status is pending, but he fully able to browse internet. My Controller connect to an external Radius Server. Authentication is working fine for the first time he login. When his session time is over, then he connect back again. He never be forwarded to the login page. His status is Pending but he still get Internet access. Look at the attached screenshoot for my Portal settings.

 

 

 

0
0
#6
Options