Tp-link EAP Controller on Nethserver


(EnzoC) #1

Hello everybody,
in my company adopt TP-link EAP access point (model: EAP225 - EAP110 - EAP120) for distribuite tagged network wifi (Principal, Guest, Admin, PLC, Voip).

a few simple steps to follow

wget https://static.tp-link.com/resources/software/EAP_Controller_v2.5.3_linux_x64.tar.gz
tar -zxvf EAP_Controller_v2.5.3_linux_x64.tar.gz
cd EAP_Controller_v2.5.3_linux_x64
./install.sh

[root@proxy EAP_Controller_v2.5.3_linux_x64]# ./install.sh 
EAP Controller will be installed in [/opt/tplink/EAPController] (y/n): y
========================
Installation start ...
Install succeeded!
========================
EAP Controller will start up with system boot. You can also control it by [/usr/bin/tpeap]. 
Starting EAP Controller .........................
Start successfully.
You can browse URL http://127.0.0.1:8088 for more.
========================
[root@proxy EAP_Controller_v2.5.3_linux_x64]# 

mkdir -p /etc/e-smith/db/configuration/defaults/tpeap
echo "service" > /etc/e-smith/db/configuration/defaults/tpeap/type
echo "enabled" > /etc/e-smith/db/configuration/defaults/tpeap/status
config set tpeap service status enabled
signal-event runlevel-adjust

The server listen on https://0.0.0.0:8043.

I have try to proxy request via https server Letsencrypt certificate, like @mrmarkuz on Howto install guacamole, but without subfolder there are problem with redirect.


We Are NethServer - Community Overview - Sep 18
(Markus Neuberger) #2

I couldn’t make it work with reverse proxy so only way I see is to open port 8043 (changeable in /opt/tplink/EAPController/properties/jetty.properties) and import the Nethserver/Letsencrypt cert.

# open port 8043
config setprop tpeap TCPPort 8043
config setprop tpeap access green
signal-event firewall-adjust

# stop eap controller
tpeap stop

# backup eap keystore
cp /opt/tplink/EAPController/keystore/eap.keystore ~

# create pkcs12 out of crt and key
openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey /etc/pki/tls/private/localhost.key -name eap -out mycert.p12

# import cert to keystore
keytool -importkeystore -deststorepass tplink -destkeystore /opt/tplink/EAPController/keystore/eap.keystore -srckeystore mycert.p12 -srcstoretype PKCS12

Enter tplink as password and confirm overwrite with yes:

Enter source keystore password: tplink
Existing entry alias eap exists, overwrite? [no]:  yes`

Start the EAP Controller, the new cert should be imported:

tpeap start

Source:

http://forum.tp-link.com/showthread.php?96192-Hacking-a-valid-cert-into-the-EAP-controller-software


(Ralf Jeckel) #3

I tried to install EAP-Controller and the howto works.
But it doesn’t find the EAPs. When I install the software on a
Windowsmachine, it finds the EAPs.
NS and EAP are in the same green network (192.168.0.0/24).
Also the Win-machine.
On the NS is also a red interface with shorewall.
Any hints which ports to open or something else??

TIA Ralf


(EnzoC) #4

My fault…Open this port on firewall
UDP 29810
TCP 29811
TCP 29812


(Ralf Jeckel) #5

Yes, man. No it works! :star_struck:
Thanks a lot! :+1:


(Ralf Jeckel) #6

maybe FYI:

@sharpec I found, that if you want to batch upgrade EAPs, you have to open port 27001 and 27002.


(Alessio Fattorini) #7

Good job Enzo!


(fpausp) #8

Hi, I try to install a TP-Link Controllersoftware (v3.0.2) for 3 EAP110 APs. I used the following commands:

# install jsvc
yum install jsvc

# Download the Software and start the script
wget https://static.tp-link.com/2018/201809/20180907/Omada_Controller_V3.0.2_Linux_x64_targz.tar.gz
tar -zxvf Omada_Controller_V3.0.2_Linux_x64_targz.tar.gz
cd Omada_Controller_V3.0.2_Linux_x64_targz
./install.sh

# 
mkdir -p /etc/e-smith/db/configuration/defaults/tpeap
echo "service" > /etc/e-smith/db/configuration/defaults/tpeap/type
echo "enabled" > /etc/e-smith/db/configuration/defaults/tpeap/status
config set tpeap service status enabled
signal-event runlevel-adjust


# open port 8043
config setprop tpeap TCPPort 8043
config setprop tpeap access green
signal-event firewall-adjust

# stop eap controller
tpeap stop

# backup eap keystore
cp /opt/tplink/EAPController/keystore/eap.keystore ~

# create pkcs12 out of crt and key
openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey /etc/pki/tls/private/localhost.key -name eap -out mycert.p12

# import cert to keystore
/root/Omada_Controller_V3.0.2_Linux_x64_targz/jre/bin/keytool -importkeystore -deststorepass tplink -destkeystore /opt/tplink/EAPController/keystore/eap.keystore -srckeystore mycert.p12 -srcstoretype PKCS12

Enter source keystore password:<the-password-you-created-bevor>
Existing entry alias eap exists, overwrite? [no]:  yes

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/tplink/EAPController/keystore/eap.keystore -destkeystore /opt/tplink/EAPController/keystore/eap.keystore -deststoretype pkcs12".

# Start the EAP Controller, the new cert should be imported:
tpeap start

I am not sure howto go farther, I guess I should use https://my-neth-ip:8043 to connect to the controller but there is no reation… I just have a green IP on this server, do I need to open the Ports:

UDP 29810
TCP 29811
TCP 29812

and

27001 ( I guess TCP)
27002 ( I guess TCP)

And what commands are used to open the ports ?


(Ralf Jeckel) #9

I did it that way:

image

image

EAP Controller works fine for me. :+1:


(fpausp) #10

Hi, thank you Ralf. I think I will do it agn on a fresh installed server, next week. Thank you…


(fpausp) #11

OK, I had some time to do it agn. If I try to load https://my-server-ip:8043 (firefox), I will get this error:


(Dan) #12

I don’t know anything about the TP-Link controller, but that error means it’s talking HTTP and you’re trying to connect via HTTPS.


(Ralf Jeckel) #13

Sorry for late response.
This is not normal. I get the regular warning about SSL-certs:

image

But I’m using my own certs. Not the original ones created by NS.
I created my own authority and installed it on all machines in the LAN as trusted authority.
I did this, because of the missing SAN (subjectAltName) in NS-SSL-cert.

If you need help to do this, please ping me. But if so, please be a little patient. I’m not good available these days.


(fpausp) #14

Hi Ralf, yes that would be great !


(Ralf Jeckel) #15

I want to say, that I’m not completely through with SSL and cert stuff, but this is the way I do it and this satisfies my needs and works fine for me. If there is a better, faster, easier, saver or what ever way to do this, I’m happy to learn. :wink:

I do this in directory /root/ssl

So here we go:

  1. create rootCA.key (2048 bit)
    You will be asked for a paraphrase. Please keep it, you’ll need it again.
  2. create rootCA.crt (10 year valid / 3650 days)
    You will be asked severel inputs, but they are self explaining IMO
    I use here for the common name, which is the keypoint: authority.domain.tld
  3. create and edit v3.ext file
    change “DNS.1 = yourserver.domain.tld” to your needs
  4. create server.key
  5. create server.crt
    important: the commonname must match your “server.domain.tld”
  6. copy server.key to /etc/pki/tls/private
  7. copy server.crt to /etc/pki/tls/certs
  8. set this cert as default in GUI

ad 1 openssl genrsa -des3 -out rootCA.key 2048
ad 2 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt
ad 3 content of v3.ext file:

        authorityKeyIdentifier=keyid,issuer
        basicConstraints=CA:FALSE
        keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
        subjectAltName = @alt_names

        [alt_names]
        DNS.1 = yourserver.domain.tld

ad 4 openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key
ad 5 openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext

Now you should have these file in your directory:
image

Now do step 6 to 8.

If you install the rootCA.crt as trusted authority on you client, the server cert should be accepted as trusted:

image

These certs are accepted by newer browsers which proove the subjectAltName like opera or firefox.
Please keep in mind, that firefox has it’s own cert-memory.

PS: I’m using only Win-clients. Can’t give advice to import certs to linux PCs.

If you have any problems, feel free to ask me.

So long.

PPS: Please forgive me any typos. :slight_smile:

EDIT: for a deeper understanding please have a look at: https://jamielinux.com/docs/openssl-certificate-authority/introduction.html.


(fpausp) #16

Nice Job, thank you very much, I appreciate that !