Reply

How to disable SSO login?

nanorobocop
Tutor

How to disable SSO login?

Hi here!

 

I'm happy owner of Netgear WAC124 access point. Firmware Version V1.0.4.4

When setup first time I've created netgear account and registered the product.

But on next logins it always redirect to sso.html page to login using mynetgear account.

I can't use my local login when I connected to Internet.

There seems no settings to disable SSO login. Or I can't find it?

If there's no such settings, I'd like to request it. I don't want to use SSO login and share my access time.

 

Same request for different model: https://community.netgear.com/t5/Smart-Plus-Click-Switches/GS108Tv3-cannot-use-local-login-with-inte...

 

Thanks

Model: WAC124|AC2000 Dual Band 4x4
Message 1 of 27
Pjpj
Tutor

Re: How to disable SSO login?

Same here. Eagerly waiting for a solution. 

Model: WAC124|AC2000 Dual Band 4x4
Message 2 of 27

Re: How to disable SSO login?

I also would like to disable the SSO stuff and use local administration.

 

Model: WAC124|AC2000 Dual Band 4x4
Message 3 of 27
dehart007
Initiate

Re: How to disable SSO login?

Yeap - definately need an option to login to the router locally without going out to internet for SSO.  It's my dam router that I bought and I should not be holden to a cloud account to login locally to my device.  YO NETGEAR, are your hearing us!!!  FIX IT!!!!!   If I knew this I would of purchased the other router I was looking at from ASUS that DOES ALLOW YOU TO LOGIN LOCALLY!!!!!!

 

 

Model: WAC124|AC2000 Dual Band 4x4
Message 4 of 27
nanorobocop
Tutor

Re: How to disable SSO login?

Hi, I contacted Netgear support about this topic.

 

This is the answer:

I am sorry but the SSO was intentionally designed for the WAC124 and there is nothing to fix about it.

 

What I also discovered about SSO page is that it exposes login information to 3rd party domains like gigya.com, googletagmanager.com, google-analyticss.com, doubleclick.net. Request to those domains includes your device serial number! You can check in browser dev tools about that.

 

Netgear support answered to that:

> These are to check if there is any system downtime internally in the background and some of them are for google analytics which they have configured to trace the logs of users. Google analytics is basically to track the number of users visiting accounts portal login screen, signup screen, 2FA screen, login settings screens. Apart from it, we don't track users personal information as per the Privacy Policy of NETGEAR

 

I'm not sure how this behaviour could comply with privacy policy.

But in any case I don't agree with that and decided to return my device and swtich to normal brand instead of using Netgear.

Message 5 of 27
Pjpj
Tutor

Re: How to disable SSO login?

Yeah. I waited too long to return mine so it went into the electronics waste disposal. If I can't have a local login and keep mine and my devices info private, I will just buy a different brand. Which I did. I think Netgear maybe miscalculated on this one. 

Message 6 of 27

Re: How to disable SSO login?

I think Netgear is going on my "not to buy brand" list - I have had lots of Netgear equipment over the years and was always happy with it but the last 3 devices have been an absolute nightmare. I had the WN3500RP wifi extender that always went via mywifiext.com for some sort of authentication and I managed to stop that by creating a local DNS override to point that domain to the local IP address. I bought the WAC124 to use as a simple access point to replace my WAC120 which I had to reset at least once a week as it would drop connections or start slowing down traffic so it was even slower then my legacy access points which I never have to touch. With this WAC124 I can not disable the SSO without DNS blacklisting the whole of netgear.com and even once you are logged in to the device it is riddled with bugs. - I can not see what devices are blocked or allowed in the MAC access list and when the access list the logs fill up with mac addresses which are not even physically attached to the device.

 

I wonder if https://openwrt.org/toh/netgear/netgear_wac124?s[]=wac124 may be an option but I have never used Open-WRT. I do have another netgear device with DD-WRT on it which is very reliable but unfortunately the WAC124 is not listed on their site

Model: WAC124|AC2000 Dual Band 4x4
Message 7 of 27

Re: How to disable SSO login?

 

Just as an update - I have applied OpenWRT to this access point now - installation was a  easy but I had to get in via the lan ports to set the password and then follow separate instructions to get the web interface going which was a little bit fiddly - It is now all up and running with the configuration I want and loads of extras that this access point could not do before. Hopefully it will be stable with it which will take a few weeks to find out. If not I already have a dlink access point on order which is slightly slower but I can live with that since my broadband is very slow any way.

 

 

Model: WAC124|AC2000 Dual Band 4x4
Message 8 of 27
nanorobocop
Tutor

Re: How to disable SSO login?

Thanks for update!

But I believe switching to openwrt firware - disables warranty, doesn't it?

Message 9 of 27
nanorobocop
Tutor

Re: How to disable SSO login?

Also, just curious, any other benefits you get from openwrt firware?

Message 10 of 27

Re: How to disable SSO login?

Yes I believe the warrenty is void but there are propably ways of getting the original firmware back on the device although I was not really too worried about that since the device is not that expensive in the first place.

 

 

Feature wise some of the stuff I wanted I could not get on the stock firmware are (but there are tons more):

- ssh access: I can now ssh into the device and use standard Unix/Linux commands to administrate it and fiddle with stuff that was not available before

- There are repositories for the openwrt stuff that give you access to additional tools like SNMP and advanced firewall features. I even saw Asterisk/Voip stuff in the repos. The SNMP access is useful for me since I can now use my Cacti setup (https://www.cacti.net/) to graph the utilisation of the device.

- You can have more SSID's for guest networks etc and you can customize all of them rather then the 3rd ssid on the stock firmware not giving you access to the LAN ports etc.

- The web gui of openwrt has live graphs to monitor traffic and you can tell from the device at what rates devices are connected to it.

 

You will loose the RedySHARE stuff that is build into it but the repos have standard samba server and FTP server stuff available for the device so you can propably configure something more advanced with that but I was not using that anyway and only use this device as a plain access point to extend my existing network. The only reason I got this device is the higher throughput rates then what my legacy netgear and cisco stuff offers.

 

 

 

 

 

Model: WAC124|AC2000 Dual Band 4x4
Message 11 of 27
schumaku
Guru

Re: How to disable SSO login?


@HubertusHaniel wrote:

I had the WN3500RP wifi extender that always went via mywifiext.com for some sort of authentication and I managed to stop that by creating a local DNS override to point that domain to the local IP address.


That's exactly what the extenders do when connecting a system to the extender (wireless or wired) and the user does call mywifiext.com (and .net fwiw) - except if some secured/encrypted DNS is used, in that case you end on Netgear's landing page instead on the extender login. You can connect to to any extender without any internet connection using these special domains.

Message 12 of 27
bizprotech
Aspirant

Re: How to disable SSO login?

I'm doing the same, no more NetGear purchases.  WHy would NetGear for Business think it's OK to create personal password secrets and force a login to manage their crap.  Ridiculous, this is not acceptable.

Model: WAC124|AC2000 Dual Band 4x4
Message 13 of 27
bizprotech
Aspirant

Re: How to disable SSO login?

NetGear msut not be paying attention to security.  The security breaches we are hearing about on the news involve hacks to centralized services like NetGear is pushing on people.  Way to weaken customer's network security NetGear.  :golfclap:

Message 14 of 27
schumaku
Guru

Re: How to disable SSO login?

This problem does only apply to the WAC124.

 

@YeZ can this unliked design replaced by a standard Netgear wireless AP version, too?

 

On the cloud manageable switches where such a similar feature briefly showed up in the second half of 2020, it's no longer required anymore, too.

Message 15 of 27
cybernawt
Initiate

Re: How to disable SSO login?

I'll be trashing this POS nighthawk the first chance I get. And won't be buying netgear CRAP.  Your POS router keeps redirecting to your stupid ass website saying I "may not be connected to my WiFi" when I clearly am because I'm reading the F'n page over the internet.  This is ENRAGING.  I'm trying to get work done and I can't because I have to screw with this stupid ass, broke POS. All because you want to collect data on your users.  **bleep** YOU

Message 16 of 27
schumaku
Guru

Re: How to disable SSO login?


@cybernawt wrote:

I'll be trashing this POS nighthawk the first chance I get.


There is no word of Nighthawk routers neither in the Netgear business community, nor specifically in this thread. 

 


@cybernawt wrote:

Your POS router keeps redirecting to your stupid ass website saying I "may not be connected to my WiFi" when I clearly am because I'm reading the F'n page over the internet.  This is ENRAGING.  I'm trying to get work done and I can't because I have to screw with this stupid ass, broke POS. All because you want to collect data on your users.  **bleep** YOU


Save your energy - we're community members.

 

Most connection issues using these DNS names are really caused by wireless connections to other APs, for example an ISP router, or caused by using "secure" DNS (https/ssl based) what the device in the data path can't capture and inject the LAN IP reply.

 

On the subject WAC1xx here - when I have it right, this aplogin.com/.net does only work as long as the AP isn't set-up. Later, the special named don't work anymore.

Message 17 of 27
indi-tech
Star

Re: How to disable SSO login?

If you disconnect the WAN port you can access the WAC124 via IP address.

 

Unfortunately, this is not helpful if you are trying to remote admin the AP from an outside network.

 

We have had 33% of the WAC124 units we've deployed slow down and then have the web GUI become inaccessible. Is reminiscent of when Asus was having its router hacked. We had several of those become hacked and exhibit similar behavior.

 

Currently, when logging via SSO, we are told the server reloads and then the web page fails. Problems on Netgear's end? We use the 10G switches in video production environments but these APs are just a bunch of garbage.

 

Model: WAC124|AC2000 Dual Band 4x4
Message 18 of 27
Jakobud
Initiate

Re: How to disable SSO login?

For anyone still looking into this, I have found a partial solution.

 

The router login page is sso.html

There are 3 possible login forms:

1. The local login (what you want)

2. The first time login (when you first power on the router)

3. The Internet SSO Netgear login (yuck)

All 3 of these forms are actually on the login page, sso.html, the others are simply hidden.

 

The way the page determines which login form is shown, is a page-level JavaScript variable called "hasInternet". The value is set internally by the firmware and is baked into the page source. The value changes constantly and is some sort of time/date format like "418:33:34". I'm not sure what this time is indicating.

 

Anyways, if the "hasInternet" has a value of "00:00:00" that means the router has internally determined you don't have internet access. In this case, the page simply uses JavaScript to hide the SSO login form and display the Local Login form.

 

I'm not sure if there is a way to trick out the AP to change that "hasInternet" value. Maybe with firmware hacking. I dunno.

 

BUT you can use simple JavaScript on the page to hide/show the login login form and ignore the SSO login form.

 

SSO login form HTML div element ID: "box_internet_everlogon"

Local login form HTML div element ID: "box_local_login"

 

So if you open up the browser dev tools and goto the JavaScript console you can use the following Javascript

 

 

(function(){
  document.getElementById('box_local_login').style.display='block';
  document.getElementById('box_internet_everlogon').style.display='none';
})()

Just copy and paste that in and run it.

 

TADA: Now the SSO login is gone and the Local login is accessible and ready to accept input.

 

So how can we make this a little more accessible? A pain to open up the console and copy/paste this thing every time you login right? How about a browser Bookmarklet?

 

In your browser create a new Bookmark. Give it any name, like "Netgear Local Login" or whatever you want. For the URL paste in the following Javascript:

 

javascript:(function(){ document.getElementById('box_local_login').style.display='block'; document.getElementById('box_internet_everlogon').style.display='none'; })();

For some reason Netgears Message Board is replacing the "colon" in the above code with the HTML colon entity code ":". Anyways it should look like this at the start:

 

Screenshot 2021-10-05 151256.png

 

(https://imgur.com/ajpf6c5)

 

Now, whenever you get to your Netgear AP SSO login page, click on their bookmark. The JavaScript in the bookmark will execute and you will now magically have your local login instead of the stupid Netgear SSO login.

 

There may be other ways of automating this, such as a Chrome/Firefox extension that automatically can execute custom JavaScript whenever you access certain URLs. Or something to automatically open the Bookmarklet when you get to this URL. I haven't really looked deeper into it beyond this.

 

This isn't a perfect solution, but I hope it helps everyone. Netgear should really not require SSO logins for local network devices. Really really dumb idea.

 

 

Message 19 of 27
DaveLister
Tutor

Re: How to disable SSO login?


@Jakobud wrote:

For anyone still looking into this, I have found a partial solution.

 

The router login page is sso.html

There are 3 possible login forms:

1. The local login (what you want)

2. The first time login (when you first power on the router)

3. The Internet SSO Netgear login (yuck)

All 3 of these forms are actually on the login page, sso.html, the others are simply hidden.

 

The way the page determines which login form is shown, is a page-level JavaScript variable called "hasInternet". The value is set internally by the firmware and is baked into the page source. The value changes constantly and is some sort of time/date format like "418:33:34". I'm not sure what this time is indicating.

 

Anyways, if the "hasInternet" has a value of "00:00:00" that means the router has internally determined you don't have internet access. In this case, the page simply uses JavaScript to hide the SSO login form and display the Local Login form.

 

I'm not sure if there is a way to trick out the AP to change that "hasInternet" value. Maybe with firmware hacking. I dunno.

 

BUT you can use simple JavaScript on the page to hide/show the login login form and ignore the SSO login form.

 

SSO login form HTML div element ID: "box_internet_everlogon"

Local login form HTML div element ID: "box_local_login"

 

So if you open up the browser dev tools and goto the JavaScript console you can use the following Javascript

 

 

(function(){
  document.getElementById('box_local_login').style.display='block';
  document.getElementById('box_internet_everlogon').style.display='none';
})()

Just copy and paste that in and run it.

 

TADA: Now the SSO login is gone and the Local login is accessible and ready to accept input.

 

So how can we make this a little more accessible? A pain to open up the console and copy/paste this thing every time you login right? How about a browser Bookmarklet?

 

In your browser create a new Bookmark. Give it any name, like "Netgear Local Login" or whatever you want. For the URL paste in the following Javascript:

 

javascript:(function(){ document.getElementById('box_local_login').style.display='block'; document.getElementById('box_internet_everlogon').style.display='none'; })();

For some reason Netgears Message Board is replacing the "colon" in the above code with the HTML colon entity code ":". Anyways it should look like this at the start:

 

Screenshot 2021-10-05 151256.png

 

(https://imgur.com/ajpf6c5)

 

Now, whenever you get to your Netgear AP SSO login page, click on their bookmark. The JavaScript in the bookmark will execute and you will now magically have your local login instead of the stupid Netgear SSO login.

 

There may be other ways of automating this, such as a Chrome/Firefox extension that automatically can execute custom JavaScript whenever you access certain URLs. Or something to automatically open the Bookmarklet when you get to this URL. I haven't really looked deeper into it beyond this.

 

This isn't a perfect solution, but I hope it helps everyone. Netgear should really not require SSO logins for local network devices. Really really dumb idea.

 

 


Sweet thanks!!!

Message 20 of 27
spithost
Initiate

Re: How to disable SSO login?

Very nice and "workable" solution 🙂


Netgear could easily change the sso.html in the firmware (with a simple firmware-update) to give the user the requested CHOICE between the local sign-on and the unwanted "Netgear-SSO", but I guess they don't want to, or they would have allready 😞

As you suggested, I created the "javascript-push" in a bookmark right below the boomark I use to go to the logon page of the router en now I can reasonable easy choose the local logon by using that bookmark right after "surfing" to the Netgear-SSO.

 

But I also agree with some of the other responders to the original question. The WAC124 will be the last Netgear-product I buy...

Model: WAC120|SOHO 802.11ac Gigabit Wireless Access Point
Message 21 of 27
indi-tech
Star

Re: How to disable SSO login?

We use a firewall to block the WAC124's access to the internet. Typically a Meraki MX. This does not prevent network traffic from flowing through it or to the internet. It simply prevent's the WAC124's OS from accessing the internet. This disables the SSO and presents you with the local login. We do this with most consumer level and poorly supported gear. Had far too many Asus routers compromised. Unfortunately, this makes administration by remote network impossible. But that's also a good thing from a security standpoint. We then remote into a dedicated machine on the WAC's LAN to administrate.

 

If you are letting your cheap routers and APs have internet access, you're not doing it right. Those things get hacked all the time, cough, WAC124, cough.

Message 22 of 27
spithost
Initiate

Re: How to disable SSO login?

That's even better indeed 🙂

 

How did you program the firewall to prevent the WAC124-OS from accessing the internet and NOT prevent the other traffic, routed through the WAC124, to pass through?

 

I guess you programmed a filter of some sort in the firewall to filter out the WAC124-specific-traffic?

 

Is that relatively easy to do? Maybe I could do someting comparable in my 4G internetmodem...
('I'm not a support-tech and more a bit advanced "consumer" so I could use some pointers ;-))

Message 23 of 27
indi-tech
Star

Re: How to disable SSO login?

Thanks!

 

Using a Cisco Meraki security appliance (firewall) it's pretty easy. Click on a netwrok device and apply the default block rule or create a special rule.

 

Other firewalls with have ther own way of setting that up. In most cases, simply blocking the WAC124's IP or MAC from having access to the internet should do the trick. Such as denying all external IP traffic to and from the WAC.

 

Hope that helps!

Message 24 of 27
AlainCo
Initiate

Re: How to disable SSO login?

This trick allows to enter the login password, but this ends in smetime a forbidden, or just the same redirect to sso page...

 

thanks anyway but it seems they disabled the hack

Model: WAC124|AC2000 Dual Band 4x4
Message 25 of 27
Top Contributors
Discussion stats
  • 26 replies
  • 6748 views
  • 39 kudos
  • 14 in conversation
Announcements