NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
How to disable SSO login?
Hi here!
I'm happy owner of Netgear WAC124 access point. Firmware Version V1.0.4.4
When setup first time I've created netgear account and registered the product.
But on next logins it always redirect to sso.html page to login using mynetgear account.
I can't use my local login when I connected to Internet.
There seems no settings to disable SSO login. Or I can't find it?
If there's no such settings, I'd like to request it. I don't want to use SSO login and share my access time.
Same request for different model: https://community.netgear.com/t5/Smart-Plus-Click-Switches/GS108Tv3-cannot-use-local-login-with-internet-access/m-p/1773940
Thanks
32 Replies
Replies have been turned off for this discussion
Same here. Eagerly waiting for a solution.
I also would like to disable the SSO stuff and use local administration.
Yeap - definately need an option to login to the router locally without going out to internet for SSO. It's my dam router that I bought and I should not be holden to a cloud account to login locally to my device. YO NETGEAR, are your hearing us!!! FIX IT!!!!! If I knew this I would of purchased the other router I was looking at from ASUS that DOES ALLOW YOU TO LOGIN LOCALLY!!!!!!
Hi, I contacted Netgear support about this topic.
This is the answer:
> I am sorry but the SSO was intentionally designed for the WAC124 and there is nothing to fix about it.
What I also discovered about SSO page is that it exposes login information to 3rd party domains like gigya.com, googletagmanager.com, google-analyticss.com, doubleclick.net. Request to those domains includes your device serial number! You can check in browser dev tools about that.
Netgear support answered to that:
> These are to check if there is any system downtime internally in the background and some of them are for google analytics which they have configured to trace the logs of users. Google analytics is basically to track the number of users visiting accounts portal login screen, signup screen, 2FA screen, login settings screens. Apart from it, we don't track users personal information as per the Privacy Policy of NETGEAR
I'm not sure how this behaviour could comply with privacy policy.
But in any case I don't agree with that and decided to return my device and swtich to normal brand instead of using Netgear.
Yeah. I waited too long to return mine so it went into the electronics waste disposal. If I can't have a local login and keep mine and my devices info private, I will just buy a different brand. Which I did. I think Netgear maybe miscalculated on this one.
I think Netgear is going on my "not to buy brand" list - I have had lots of Netgear equipment over the years and was always happy with it but the last 3 devices have been an absolute nightmare. I had the WN3500RP wifi extender that always went via mywifiext.com for some sort of authentication and I managed to stop that by creating a local DNS override to point that domain to the local IP address. I bought the WAC124 to use as a simple access point to replace my WAC120 which I had to reset at least once a week as it would drop connections or start slowing down traffic so it was even slower then my legacy access points which I never have to touch. With this WAC124 I can not disable the SSO without DNS blacklisting the whole of netgear.com and even once you are logged in to the device it is riddled with bugs. - I can not see what devices are blocked or allowed in the MAC access list and when the access list the logs fill up with mac addresses which are not even physically attached to the device.
I wonder if https://openwrt.org/toh/netgear/netgear_wac124?s[]=wac124 may be an option but I have never used Open-WRT. I do have another netgear device with DD-WRT on it which is very reliable but unfortunately the WAC124 is not listed on their site
NetGear msut not be paying attention to security. The security breaches we are hearing about on the news involve hacks to centralized services like NetGear is pushing on people. Way to weaken customer's network security NetGear. :golfclap:
I'll be trashing this POS nighthawk the first chance I get. And won't be buying netgear CRAP. Your POS router keeps redirecting to your stupid ass website saying I "may not be connected to my WiFi" when I clearly am because I'm reading the F'n page over the internet. This is ENRAGING. I'm trying to get work done and I can't because I have to screw with this stupid ass, broke POS. All because you want to collect data on your users. **bleep** YOU
cybernawt wrote:I'll be trashing this POS nighthawk the first chance I get.
There is no word of Nighthawk routers neither in the Netgear business community, nor specifically in this thread.
cybernawt wrote:Your POS router keeps redirecting to your stupid ass website saying I "may not be connected to my WiFi" when I clearly am because I'm reading the F'n page over the internet. This is ENRAGING. I'm trying to get work done and I can't because I have to screw with this stupid ass, broke POS. All because you want to collect data on your users. **bleep** YOU
Save your energy - we're community members.
Most connection issues using these DNS names are really caused by wireless connections to other APs, for example an ISP router, or caused by using "secure" DNS (https/ssl based) what the device in the data path can't capture and inject the LAN IP reply.
On the subject WAC1xx here - when I have it right, this aplogin.com/.net does only work as long as the AP isn't set-up. Later, the special named don't work anymore.
If you disconnect the WAN port you can access the WAC124 via IP address.
Unfortunately, this is not helpful if you are trying to remote admin the AP from an outside network.
We have had 33% of the WAC124 units we've deployed slow down and then have the web GUI become inaccessible. Is reminiscent of when Asus was having its router hacked. We had several of those become hacked and exhibit similar behavior.
Currently, when logging via SSO, we are told the server reloads and then the web page fails. Problems on Netgear's end? We use the 10G switches in video production environments but these APs are just a bunch of garbage.
For anyone still looking into this, I have found a partial solution.
The router login page is sso.html
There are 3 possible login forms:
1. The local login (what you want)
2. The first time login (when you first power on the router)
3. The Internet SSO Netgear login (yuck)
All 3 of these forms are actually on the login page, sso.html, the others are simply hidden.
The way the page determines which login form is shown, is a page-level JavaScript variable called "hasInternet". The value is set internally by the firmware and is baked into the page source. The value changes constantly and is some sort of time/date format like "418:33:34". I'm not sure what this time is indicating.
Anyways, if the "hasInternet" has a value of "00:00:00" that means the router has internally determined you don't have internet access. In this case, the page simply uses JavaScript to hide the SSO login form and display the Local Login form.
I'm not sure if there is a way to trick out the AP to change that "hasInternet" value. Maybe with firmware hacking. I dunno.
BUT you can use simple JavaScript on the page to hide/show the login login form and ignore the SSO login form.
SSO login form HTML div element ID: "box_internet_everlogon"
Local login form HTML div element ID: "box_local_login"
So if you open up the browser dev tools and goto the JavaScript console you can use the following Javascript
(function(){ document.getElementById('box_local_login').style.display='block'; document.getElementById('box_internet_everlogon').style.display='none'; })()Just copy and paste that in and run it.
TADA: Now the SSO login is gone and the Local login is accessible and ready to accept input.
So how can we make this a little more accessible? A pain to open up the console and copy/paste this thing every time you login right? How about a browser Bookmarklet?
In your browser create a new Bookmark. Give it any name, like "Netgear Local Login" or whatever you want. For the URL paste in the following Javascript:
javascript:(function(){ document.getElementById('box_local_login').style.display='block'; document.getElementById('box_internet_everlogon').style.display='none'; })();For some reason Netgears Message Board is replacing the "colon" in the above code with the HTML colon entity code ":". Anyways it should look like this at the start:
Now, whenever you get to your Netgear AP SSO login page, click on their bookmark. The JavaScript in the bookmark will execute and you will now magically have your local login instead of the stupid Netgear SSO login.
There may be other ways of automating this, such as a Chrome/Firefox extension that automatically can execute custom JavaScript whenever you access certain URLs. Or something to automatically open the Bookmarklet when you get to this URL. I haven't really looked deeper into it beyond this.
This isn't a perfect solution, but I hope it helps everyone. Netgear should really not require SSO logins for local network devices. Really really dumb idea.
Jakobud wrote:For anyone still looking into this, I have found a partial solution.
The router login page is sso.html
There are 3 possible login forms:
1. The local login (what you want)
2. The first time login (when you first power on the router)
3. The Internet SSO Netgear login (yuck)
All 3 of these forms are actually on the login page, sso.html, the others are simply hidden.
The way the page determines which login form is shown, is a page-level JavaScript variable called "hasInternet". The value is set internally by the firmware and is baked into the page source. The value changes constantly and is some sort of time/date format like "418:33:34". I'm not sure what this time is indicating.
Anyways, if the "hasInternet" has a value of "00:00:00" that means the router has internally determined you don't have internet access. In this case, the page simply uses JavaScript to hide the SSO login form and display the Local Login form.
I'm not sure if there is a way to trick out the AP to change that "hasInternet" value. Maybe with firmware hacking. I dunno.
BUT you can use simple JavaScript on the page to hide/show the login login form and ignore the SSO login form.
SSO login form HTML div element ID: "box_internet_everlogon"
Local login form HTML div element ID: "box_local_login"
So if you open up the browser dev tools and goto the JavaScript console you can use the following Javascript
(function(){ document.getElementById('box_local_login').style.display='block'; document.getElementById('box_internet_everlogon').style.display='none'; })()Just copy and paste that in and run it.
TADA: Now the SSO login is gone and the Local login is accessible and ready to accept input.
So how can we make this a little more accessible? A pain to open up the console and copy/paste this thing every time you login right? How about a browser Bookmarklet?
In your browser create a new Bookmark. Give it any name, like "Netgear Local Login" or whatever you want. For the URL paste in the following Javascript:
javascript:(function(){ document.getElementById('box_local_login').style.display='block'; document.getElementById('box_internet_everlogon').style.display='none'; })();For some reason Netgears Message Board is replacing the "colon" in the above code with the HTML colon entity code ":". Anyways it should look like this at the start:
Now, whenever you get to your Netgear AP SSO login page, click on their bookmark. The JavaScript in the bookmark will execute and you will now magically have your local login instead of the stupid Netgear SSO login.
There may be other ways of automating this, such as a Chrome/Firefox extension that automatically can execute custom JavaScript whenever you access certain URLs. Or something to automatically open the Bookmarklet when you get to this URL. I haven't really looked deeper into it beyond this.
This isn't a perfect solution, but I hope it helps everyone. Netgear should really not require SSO logins for local network devices. Really really dumb idea.
Sweet thanks!!!
We use a firewall to block the WAC124's access to the internet. Typically a Meraki MX. This does not prevent network traffic from flowing through it or to the internet. It simply prevent's the WAC124's OS from accessing the internet. This disables the SSO and presents you with the local login. We do this with most consumer level and poorly supported gear. Had far too many Asus routers compromised. Unfortunately, this makes administration by remote network impossible. But that's also a good thing from a security standpoint. We then remote into a dedicated machine on the WAC's LAN to administrate.
If you are letting your cheap routers and APs have internet access, you're not doing it right. Those things get hacked all the time, cough, WAC124, cough.
That's even better indeed :-)
How did you program the firewall to prevent the WAC124-OS from accessing the internet and NOT prevent the other traffic, routed through the WAC124, to pass through?
I guess you programmed a filter of some sort in the firewall to filter out the WAC124-specific-traffic?
Is that relatively easy to do? Maybe I could do someting comparable in my 4G internetmodem...
('I'm not a support-tech and more a bit advanced "consumer" so I could use some pointers ;-))Thanks!
Using a Cisco Meraki security appliance (firewall) it's pretty easy. Click on a netwrok device and apply the default block rule or create a special rule.
Other firewalls with have ther own way of setting that up. In most cases, simply blocking the WAC124's IP or MAC from having access to the internet should do the trick. Such as denying all external IP traffic to and from the WAC.
Hope that helps!
Entering the MAC address of the Netgear router is absolutely the easiest and best way of getting rid of the ridiculous Netgear policy.
Only thing is that the Netgear router must be behind another router that accesses the internet.
If the Netgear is your only modem and router you can use the scripting work around.
So, get a good product to connect to the internet and use this Netgear crap for internal purposes only.
Bit late to the party here, but if anyone else is still having hassle with this, here's an easy way to prevent the SSO login ... Note this will *only* work for access point mode ...
First off you need to set a static ip address for the access point lan port. Obvioulsy the ip that you pick must be valid for your network segment, but *not* be in use by anything else on your network segment, and prefereably not used by your dhcp server either. Finally once you have selected an ip address, then set the default router to an ip address on your network segment that is not in use by anything. Then save the data and wait for it to reboot.
If the netgear access point can't actiually contact a real default router, it can't send any data off the local network. Therefore the SSO stuff cannot phone home,
Note that a side effect of this will be that auotmatic updates and check for firmware stuff will not work (for the same reason). The device will also warn you that it cannot see the internet (but that is the idea).
-- NW
You'll be pleased to know, from firmware v1.0.4.9, the SSO 'feature' has been removed.
I've been finding this out from customers that only had their SSO logins. As Netgear has the firmware automatically disabling SSO. About half my customers didn't bother to save the local login info and are now locked out of their devices completely. Bravo!
Oh!
You could try the default?
- User: admin
- Password: password
The sso annoyance was fixed by WAC124 Firmware Version 1.0.4.9.
Edit: Sorry, I noticed too late that this info was already posted.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
