I'm unable to authenticate or control multiple HS300(US) devices (Hardware Version 2.0) using the latest python-kasa CLI or library.
kasa discover finds the devices successfully but reports Authentication failed for device for each one.
These same devices work fine via the official Kasa mobile app (cloud control).

This may be due to TP-Link changing the firmware behavior — the devices no longer appear to listen on UDP 9999, and the encryption handshake (KLAP) fails even when valid credentials are supplied.

Environment

Device model: HS300(US)

Hardware version: 2.0

Firmware version: (please confirm exact build, e.g. 1.1.6 Build 240130 Rel.173828)

Encryption type: KLAP

Login version: 2

Platform: Ubuntu 24.04 LTS

python-kasa version: (latest from pip or cloned dev branch)

Network: Same subnet (192.168.0.x), no firewall filtering, UFW inactive

What happens

Running discovery:
kasa discover

Output:

== Authentication failed for device ==
Device Model: HS300(US)
IP: 192.168.0.242
HW Ver: 2.0
Encrypt Type: KLAP
Login version: 2

Port scan shows:

sudo nmap -sU -p 9999 192.168.0.242 → 9999/udp closed distinct

Device responds to ping and TCP 80, but not UDP 9999.

Tested on multiple units (3 total, HW v2.0), all show same behavior.

Expected behavior

Older HS300 firmware allowed local control via UDP 9999 using KLAP protocol.
python-kasa should be able to authenticate locally and toggle outlets without using TP-Link’s cloud.

Actual behavior
-Discovery works (broadcast response received).
-Authentication fails for all devices.
-UDP 9999 appears closed; no UDP response packets observed in tcpdump.
-Device remains cloud-dependent.
-Troubleshooting performed
-Verified all devices and control host are on the same subnet.
-Confirmed no network or OS-level firewalls are active.
-Tested with valid TP-Link account credentials via --username and --password.
-Same result across multiple devices (different IPs).
-TP-Link support confirmed that new firmware may disable local control entirely.

Possible cause

Recent HS300 firmware versions (KLAP, Login version 2) appear to have removed or disabled the local control port (9999) and rely solely on TP-Link Cloud for operation.
This prevents python-kasa from authenticating locally.

Request

Can anyone confirm whether HS300 hardware version 2.0 (with newer firmware) has officially dropped support for local control, and if python-kasa plans to support cloud-authenticated control for these devices?

If there’s any way to debug the KLAP handshake (e.g., additional flags or packet captures), I’m happy to provide logs or run tests.

Example device dump:

Device Type: IOT.SMARTPLUGSWITCH
Device Model: HS300(US)
IP: 192.168.0.242
MAC: 40-AE-30-40-26-03
Device Id (hash): eff8dcab310ffac89b042df8a35da5c1
HW Ver: 2.0
Encrypt Type: KLAP
HTTP Port: 80
Login version: 2