Posted: Wed Nov 24, 2021 16:36 Post subject: GUI access without authentication
Currently, if I am hardwired, I am able to access the GUI without authenticating, it there anyway to configure, maybe by MAC address, a WiFi device to allow GUI access without authentication? _________________ Linksys WRT3200ACM
VersionDD-WRT v3.0-r50500 std (10/13/22)
Kernel VersionLinux 4.9.330 #3466 SMP Thu Oct 13 02:01:23 +07 2022 armv7l
Linksys RE9000 Extender (WiFi attached)
OpenVPN with PBR: ExpressVPN
Devices: Sonos, Apple, QNAP, Laserjet other
Joined: 08 May 2018 Posts: 14207 Location: Texas, USA
Posted: Wed Nov 24, 2021 16:58 Post subject:
If you are able to access the webUI without authenticating, it is because you saved the credentials to your browser or some password manager add-on. This is not advisable, IMHO.
To answer your question, though, you would have to save the credentials on your mobile device and then likely use ebtables to filter by MAC or static lease or some such. I generally do not allow webUI, ssh, telnet, ftp, etc. access from wireless. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
If you are able to access the webUI without authenticating, it is because you saved the credentials to your browser or some password manager add-on. This is not advisable, IMHO.
To answer your question, though, you would have to save the credentials on your mobile device and then likely use ebtables to filter by MAC or static lease or some such. I generally do not allow webUI, ssh, telnet, ftp, etc. access from wireless.
Actually, I am not even prompted when connecting hard wired… so maybe but not sure, it is surprising. I’m not worried about hackers in the area getting onto that subnet. _________________ Linksys WRT3200ACM
VersionDD-WRT v3.0-r50500 std (10/13/22)
Kernel VersionLinux 4.9.330 #3466 SMP Thu Oct 13 02:01:23 +07 2022 armv7l
Linksys RE9000 Extender (WiFi attached)
OpenVPN with PBR: ExpressVPN
Devices: Sonos, Apple, QNAP, Laserjet other
Since I don't recall which version, when you are accessing the GUI regardless of how, there's a session cookie or just a session on the device end that remembers your browser and lets you in without a password.
Open another browser or an incognito window and it should prompt you. Give that a shot. _________________ Router: Linksys WRT3200ACM WLAN0 and 1 have same SSID
88W8964 802.11ac WLAN0 Mode AP VHT80 80MHz Mixed Mode Channel and Extension Channel Auto Extension LL-6
88W8964 802.11ac WLAN1 Mode AP 20 MHz Mixed Mode Channel Auto
SD8887 802.11ac disabled but visible on GUI and CLI
TX Power 18 dBm
Antenna Gain 0 dBi
U-APSD (Automatic Power Save)Enabled
Protection Mode None
RTS Threshold Disabled
Short Preamble Disabled
Short GI Enabled
Single User Beamforming Enabled
Multi User Beamforming Enabled
AP Isolation Disabled
Beacon Interval 100
DTIM Interval 2
WMM Support Enabled
Radar Detection Disabled
ScanList default
Sensitivity Range (ACK Timing) 500 (Default: 500 meters)
Max Associated Clients 256 (Default: 256 Clients)
Minimum Signal for authenticate -128
Minimum Signal for connection -128
Poll Time for signal lookup 10
Amount of allowed low signals 3
Wireless security is WPA2 Personal CCMP-128 only
QAM256 is on
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Nov 25, 2021 6:06 Post subject:
Argenis wrote:
Since I don't recall which version, when you are accessing the GUI regardless of how, there's a session cookie or just a session on the device end that remembers your browser and lets you in without a password.
Indeed, however this only happens if you allow the login to be remembered by ticking that checkbox.
IMO its awful for security because anyone then can just access anything router side, or any other websites where you have done this.
May as well write passwords on post-it and stick it to the screen bevel or just use 12345678, or the word password as your password.
Hilarious, and then one may even be surprised when million of machines across the globe are turned into botnets or crypto miners, daily! But its OK, no one is interested in your porn folder.
Joined: 08 May 2018 Posts: 14207 Location: Texas, USA
Posted: Thu Nov 25, 2021 6:52 Post subject:
the-joker wrote:
Argenis wrote:
Since I don't recall which version, when you are accessing the GUI regardless of how, there's a session cookie or just a session on the device end that remembers your browser and lets you in without a password.
Indeed, however this only happens if you allow the login to be remembered by ticking that checkbox.
When you flash via webUI, you do not have to re-login. If you close out a tab and re-open another tab in a browser that was not exited completely and you navigate to the router IP, it will not ask for credentials. This is because the info is cached. I have literally done this with *hours* in between several times. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
