Tp-link EAP Controller on Nethserver

sharpec · April 9, 2018, 8:54am

Hello everybody,
in my company adopt TP-link EAP access point (model: EAP225 - EAP110 - EAP120) for distribuite tagged network wifi (Principal, Guest, Admin, PLC, Voip).

a few simple steps to follow

wget https://static.tp-link.com/resources/software/EAP_Controller_v2.5.3_linux_x64.tar.gz
tar -zxvf EAP_Controller_v2.5.3_linux_x64.tar.gz
cd EAP_Controller_v2.5.3_linux_x64
./install.sh

[root@proxy EAP_Controller_v2.5.3_linux_x64]# ./install.sh 
EAP Controller will be installed in [/opt/tplink/EAPController] (y/n): y
========================
Installation start ...
Install succeeded!
========================
EAP Controller will start up with system boot. You can also control it by [/usr/bin/tpeap]. 
Starting EAP Controller .........................
Start successfully.
You can browse URL http://127.0.0.1:8088 for more.
========================
[root@proxy EAP_Controller_v2.5.3_linux_x64]# 

mkdir -p /etc/e-smith/db/configuration/defaults/tpeap
echo "service" > /etc/e-smith/db/configuration/defaults/tpeap/type
echo "enabled" > /etc/e-smith/db/configuration/defaults/tpeap/status
config set tpeap service status enabled
signal-event runlevel-adjust

The server listen on https://0.0.0.0:8043.

I have try to proxy request via https server Letsencrypt certificate, like @mrmarkuz on Howto install guacamole, but without subfolder there are problem with redirect.

mrmarkuz · April 10, 2018, 11:29am

I couldn’t make it work with reverse proxy so only way I see is to open port 8043 (changeable in /opt/tplink/EAPController/properties/jetty.properties) and import the Nethserver/Letsencrypt cert.

# open port 8043
config setprop tpeap TCPPort 8043
config setprop tpeap access green
signal-event firewall-adjust

# stop eap controller
tpeap stop

# backup eap keystore
cp /opt/tplink/EAPController/keystore/eap.keystore ~

# create pkcs12 out of crt and key
openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey /etc/pki/tls/private/localhost.key -name eap -out mycert.p12

# import cert to keystore
keytool -importkeystore -deststorepass tplink -destkeystore /opt/tplink/EAPController/keystore/eap.keystore -srckeystore mycert.p12 -srcstoretype PKCS12

Enter tplink as password and confirm overwrite with yes:

Enter source keystore password: tplink
Existing entry alias eap exists, overwrite? [no]:  yes`

Start the EAP Controller, the new cert should be imported:

tpeap start

Source:

http://forum.tp-link.com/showthread.php?96192-Hacking-a-valid-cert-into-the-EAP-controller-software

flatspin · April 19, 2018, 11:16am

I tried to install EAP-Controller and the howto works.
But it doesn’t find the EAPs. When I install the software on a
Windowsmachine, it finds the EAPs.
NS and EAP are in the same green network (192.168.0.0/24).
Also the Win-machine.
On the NS is also a red interface with shorewall.
Any hints which ports to open or something else??

TIA Ralf

sharpec · April 19, 2018, 12:09pm

My fault…Open this port on firewall
UDP 29810
TCP 29811
TCP 29812

flatspin · April 19, 2018, 12:57pm

Yes, man. No it works!
Thanks a lot!

flatspin · July 9, 2018, 3:30pm

maybe FYI:

@sharpec I found, that if you want to batch upgrade EAPs, you have to open port 27001 and 27002.

alefattorini · September 7, 2018, 11:36am

Good job Enzo!

fausp · October 18, 2018, 1:55pm

Hi, I try to install a TP-Link Controllersoftware (v3.0.2) for 3 EAP110 APs. I used the following commands:

# install jsvc
yum install jsvc

# Download the Software and start the script
wget https://static.tp-link.com/2018/201809/20180907/Omada_Controller_V3.0.2_Linux_x64_targz.tar.gz
tar -zxvf Omada_Controller_V3.0.2_Linux_x64_targz.tar.gz
cd Omada_Controller_V3.0.2_Linux_x64_targz
./install.sh

# 
mkdir -p /etc/e-smith/db/configuration/defaults/tpeap
echo "service" > /etc/e-smith/db/configuration/defaults/tpeap/type
echo "enabled" > /etc/e-smith/db/configuration/defaults/tpeap/status
config set tpeap service status enabled
signal-event runlevel-adjust


# open port 8043
config setprop tpeap TCPPort 8043
config setprop tpeap access green
signal-event firewall-adjust

# stop eap controller
tpeap stop

# backup eap keystore
cp /opt/tplink/EAPController/keystore/eap.keystore ~

# create pkcs12 out of crt and key
openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey /etc/pki/tls/private/localhost.key -name eap -out mycert.p12

# import cert to keystore
/root/Omada_Controller_V3.0.2_Linux_x64_targz/jre/bin/keytool -importkeystore -deststorepass tplink -destkeystore /opt/tplink/EAPController/keystore/eap.keystore -srckeystore mycert.p12 -srcstoretype PKCS12

Enter source keystore password:<the-password-you-created-bevor>
Existing entry alias eap exists, overwrite? [no]:  yes

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/tplink/EAPController/keystore/eap.keystore -destkeystore /opt/tplink/EAPController/keystore/eap.keystore -deststoretype pkcs12".

# Start the EAP Controller, the new cert should be imported:
tpeap start

I am not sure howto go farther, I guess I should use https://my-neth-ip:8043 to connect to the controller but there is no reation… I just have a green IP on this server, do I need to open the Ports:

UDP 29810
TCP 29811
TCP 29812

and

27001 ( I guess TCP)
27002 ( I guess TCP)

And what commands are used to open the ports ?

flatspin · October 18, 2018, 4:15pm

I did it that way:

EAP Controller works fine for me.

fausp · October 19, 2018, 11:12am

Hi, thank you Ralf. I think I will do it agn on a fresh installed server, next week. Thank you…

fausp · October 19, 2018, 2:19pm

OK, I had some time to do it agn. If I try to load https://my-server-ip:8043 (firefox), I will get this error:

danb35 · October 19, 2018, 2:41pm

I don’t know anything about the TP-Link controller, but that error means it’s talking HTTP and you’re trying to connect via HTTPS.

flatspin · October 20, 2018, 8:03am

Sorry for late response.
This is not normal. I get the regular warning about SSL-certs:

But I’m using my own certs. Not the original ones created by NS.
I created my own authority and installed it on all machines in the LAN as trusted authority.
I did this, because of the missing SAN (subjectAltName) in NS-SSL-cert.

If you need help to do this, please ping me. But if so, please be a little patient. I’m not good available these days.

fausp · October 20, 2018, 8:47pm

Hi Ralf, yes that would be great !

flatspin · October 21, 2018, 11:40am

I want to say, that I’m not completely through with SSL and cert stuff, but this is the way I do it and this satisfies my needs and works fine for me. If there is a better, faster, easier, saver or what ever way to do this, I’m happy to learn.

I do this in directory /root/ssl

So here we go:

create rootCA.key (2048 bit)
You will be asked for a paraphrase. Please keep it, you’ll need it again.
create rootCA.crt (10 year valid / 3650 days)
You will be asked severel inputs, but they are self explaining IMO
I use here for the common name, which is the keypoint: authority.domain.tld
create and edit v3.ext file
change “DNS.1 = yourserver.domain.tld” to your needs
create server.key
create server.crt
important: the commonname must match your “server.domain.tld”
copy server.key to /etc/pki/tls/private
copy server.crt to /etc/pki/tls/certs
set this cert as default in GUI

ad 1 openssl genrsa -des3 -out rootCA.key 2048
ad 2 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt
ad 3 content of v3.ext file:

        authorityKeyIdentifier=keyid,issuer
        basicConstraints=CA:FALSE
        keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
        subjectAltName = @alt_names

        [alt_names]
        DNS.1 = yourserver.domain.tld

ad 4 openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key
ad 5 openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext

Now you should have these file in your directory:

Now do step 6 to 8.

If you install the rootCA.crt as trusted authority on you client, the server cert should be accepted as trusted:

These certs are accepted by newer browsers which proove the subjectAltName like opera or firefox.
Please keep in mind, that firefox has it’s own cert-memory.

PS: I’m using only Win-clients. Can’t give advice to import certs to linux PCs.

If you have any problems, feel free to ask me.

So long.

PPS: Please forgive me any typos.

EDIT: for a deeper understanding please have a look at: https://jamielinux.com/docs/openssl-certificate-authority/introduction.html.

fausp · October 21, 2018, 4:04pm

Nice Job, thank you very much, I appreciate that !

flatspin · November 15, 2018, 8:08am

Did this HowTo work for you?

fausp · November 15, 2018, 8:31am

I tried it a few times on a fresh installed virtual NethServer but was not able to… I then had to stop because the lack of time… ATM I run it under Windows7 (shame on me )…

fausp · March 24, 2021, 3:28pm

Version 4.x is out, did you install it?

flatspin · March 24, 2021, 4:52pm

Sorry, no. I’m still on V 3.2.9.

Will give V4 a try next days.

EDIT: Can’t upgrade to V4 because of one EAP 115 V 2 in my network. There no firmware for it for the new SDN-Controller it seems.