API and Code Sample for RADIUS Server with External Web Portal (Omada Controller 4.1.5 or above)
EAP225-Wall( V2 ) , EAP660 HD( V1 ) , OC200 , AP9665 , OC300 , EAP225-Outdoor( V1 ) , EAP245( V3 ) , EAP265 HD( V1 ) , EAP110( V4 ) , EAP230-Wall( V1 ) , EAP235-Wall( V1 ) , EAP620 HD( V1 ) , EAP225( V3 ) , EAP115( V4 ) , EAP110-Outdoor( V3 ) , Omada Software Controller , EAP115-Wall( V1 )
Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device and check either the Datasheet or the firmware section for the latest improvements added to your product.
Suitable for Omada Controller 4.1.5 or above.
For Omada Controller 3.1.4 to 3.2.17, please refer to FAQ2390
For Omada Controller 3.0.5 or below, please refer to FAQ916
This document outlines the requirements when establishing an external web portal server. In Omada Controller, External Web Portal can only be used when the portal authentication type is External Radius Server.
The below picture depicts the workflow among the wireless client, EAP, Omada Controller, External Web Portal and the Radius Server. It will help you better understand the requirements of establishing an External Web Portal server.
1. For wireless clients & wired clients, when they are connected to the SSID of the wireless network or wired LAN network and try to access the internet, EAP or gateway will intercepts client’s HTTP request and then redirects it to the Omada Controller. (Step 1 and Step 2)
2. The Omada Controller then redirects the client’s request to the external portal page by replying a HTTP response with status code 302 Found to the client. (Step 3 and Step 4)
3. Client sends HTTP/HTTPS GET request to external web portal with parameter “?target=target_controller_ip&targetPort=target_controller_port&clientMac=client_mac&clientIp=client_ip&raidusServerIp=radius_server_ip&apMac=ap_mac&gatewayMac=gateway_mac&scheme=scheme&ssidName==ssid_name&radioId=radio_id(0 for 2.4G radio, 1 for 5G radio)&vid=vid&originUrl=redirecturl(if you did not set the redirect URL after wireless/wired clients passing the portal authentication, the default redirect URL depends on the wireless clients)”.
For example: “https://www.externalportal.com/?target=172.30.30.113&targetPort=8088&clientMac=F8-1E-DF-AA-AA-AA&clientIP=172.30.30.103&raidusServerIp=172.30.30.120&apMac=AC-84-C6-BB-BB-BB&GatewayMac=172.30.0.1&scheme=https&ssidName=eap_test&radioId=1&originalUrl=https%3A%2F%2Fwww.tp-link.com” (Step 5)
4. External web portal server should be able to get the value of the clientMac, clientIp, apMac, gatewayMac, ssidName, radioId, vid, scheme, originUrl parameters. Then external web portal server should redirect the client to Controller with the information of username, password, clientMac, clientIp, apMac, gatewayMac, ssidName, scheme, vid, radioId, originUrl. (Step 6)
5. Client sends HTTP/HTTPS POST packets to (http) https://target_controller_ip:targetport/portal/radius/auth (or radius/browserauth) with JSON format (or HTML form) in the HTTP message body after submitting.The default “targetport” of portal is 8843 (Step7). For the difference between radius/auth and radius/browserauth, please refer to Demo and api part.
Note: From Controller 5.0, if the API “radius/auth” is used, the “Access-Control-Allow-Origin:URL” field should be submitted in the HTTP header to enhance security during Cross-Origin Resource Sharing (CORS). For example, if the domain name of your External Web Portal is “www.tplinkportal.com”, you need to add “Access-Control-Allow-Origin:https://www.tplinkportal.com”. Please download the demo at the end of the article for reference.
6. Omada Controller communicates with the radius server to verify the username and password. (Step 8 and Step 9)form
7. If the authentication is passed, i.e., Access-Accept is received from radius server, Omada Controller will redirect a built-in success page or a predefined webpage according to the configuration of clients. (Step 10)
Demo and api:
From 4.1.5 to 5.1.0, we provide api: target_controller_ip:targetport/portal/radius/auth with JSON format submitting,
The below html template is a simple demo for you to develop your External Web Portal working with Omada Controller using JSON format:
External Web Server Demo (JSON)
When HTTPS is used on the web portal side and HTTP is used on the omada conroller side, AJAX access will cause cross domain access problems of CORS and be intercepted by the browser, so we provide HTML form submitting api since Omada Controller 5.3.1: target_controller_ip:targetport/portal/radius/browserauth , and it realizes the page jump on the back end
The below html template is another demo using HTML form:
External Web Server Demo (HTML form)
Note:
1. If you are using Omada Cloud-Based Controller (CBC), Only HTTPS POST to the API “browserauth” with HTML form is supported for security reasons. For CBC, please use the domain of your CBC instead of “target_controller_ip:targetport” in the URL pointing to the “browserauth” API.
For example, for the CBC with URL in this figure, the API would be “https://aps1-omada-controller.tplinkcloud.com/portal/radius/browserauth”
2. If your Controller (4.1.5 or above) is upgraded from Controller 3. x.x, please attention that we have changed some “Name“ of the parameters.
Name(V3.x) |
Name(V4.x) |
Type |
Remark |
clientMac |
clientMac |
string |
client MAC address |
clientIp |
clientIp |
string |
client IP address |
ap |
apMac |
string |
AP MAC address(only for ap) |
|
gatewayMac |
string |
Gateway MAC address (only for wired auth) |
|
vid |
integer |
vid (only for wired auth) |
ssid |
ssidName |
string |
ssid name |
radioId |
radioId |
integer |
0: 2.4GHz, 1: 5GHz(only for ap) |
/ |
authType |
integer |
The actual authentication type, only supports External RADIUS and Hotspot RADIUS authentication methods. 2: External RADIUS; 8: Hotspot RADIUS |
redirectUrl |
originUrl |
string |
redirectUrl |
username |
username |
string |
authentication username |
password |
password |
string |
authentication password |
Note that apMac and gatewayMac connot exist in the same request,when the wired clients authenticate,please left blank the apMac
3. In step7, if your form has non-ASCII characters (such as the SSID name is Chinese or other languages), UTF-8 encoding must be used when sending the HTTP/HTTPS POST to the Controller.
4. If you choose ajax access, please note the “Access-Control-Allow-Origin:URL” field for Controller 5.0 and above.
5. HTML form demo and radius/browserauth api is recommended.
Appendix: API document of auth and browserauth
portal/radius/auth (since Omada Controller 4.1.5)
Basic Information
Path: /portal/radius/auth
Method: POST
Request Parameters
Headers
Parameters |
Value |
Required |
Content-Type |
application/json |
Yes |
Query
Parameters |
Required |
Description |
key |
Yes |
AES key encrypted by RSA public key, RSA/ECB/PKCS1Padding. The first 16 bytes are the key, and the last 16 bytes are the IV. |
Body
Parameters |
Type |
Required |
Description |
clientMac |
string |
Yes |
client MAC address |
clientIP |
String |
|
Client IP address |
apMac |
string |
Yes |
AP MAC address |
gatewayMac |
string |
Yes |
gateway MAC address |
ssidName |
string |
Yes |
SSID name |
vid |
integer |
Yes |
VLAN ID |
radioId |
integer |
Yes |
0: 2.4GHz 1: 5GHz |
authType |
integer |
Yes |
This entry is the realtime authentication type. Only the following two options are supported: 2: External RADIUS 8: Hotspot RADIUS |
originUrl |
string |
|
Redirect URL |
username |
string |
Yes |
The username for authentication |
password |
string |
Yes |
The password for authentication |
Response Parameters
Parameters |
Type |
Required |
Description |
errorCode |
integer |
Yes |
Error Code |
portal/radius/browserauth (since Omada Controller 5.3.1)
Basic Information
Path: /portal/radius/browserauth
Method: POST
Request Parameters
Headers
Parameters |
Value |
Required |
Content-Type |
application/x-www-form-urlencoded |
Yes |
Path parameters
Parameters |
Type |
Required |
Description |
clientMac |
string |
Yes |
client MAC address |
clientIp |
String |
|
Client IP address |
apMac |
string |
Yes |
AP MAC address |
gatewayMac |
string |
Yes |
gateway MAC address |
ssidName |
string |
Yes |
SSID name |
vid |
integer |
Yes |
VLAN ID |
radioId |
integer |
Yes |
0: 2.4GHz 1: 5GHz |
authType |
integer |
Yes |
This entry is the realtime authentication type. Only the following two options are supported: 2: External RADIUS 8: Hotspot RADIUS |
originUrl |
string |
|
Redirect URL |
username |
string |
Yes |
The username for authentication |
password |
string |
Yes |
The password for authentication |
Response Parameters
Parameters |
Type |
Required |
Description |
errorCode |
integer |
Yes |
Error Code |
Is this faq useful?
Your feedback helps improve this site.
What’s your concern with this article?
- Dissatisfied with product
- Too Complicated
- Confusing Title
- Does not apply to me
- Too Vague
- Other
We'd love to get your feedback, please let us know how we can improve this content.
Thank you
We appreciate your feedback.
Click here to contact TP-Link technical support.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again
Basic Cookies
These cookies are necessary for the website to function and cannot be deactivated in your systems.
TP-Link
SESSION, JSESSIONID, accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType
Youtube
id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ
Zendesk
OptanonConsent, __cf_bm, __cfruid, _cfuvid, _help_center_session, _pendo___sg__.<container-id>, _pendo_meta.<container-id>, _pendo_visitorId.<container-id>, _zendesk_authenticated, _zendesk_cookie, _zendesk_session, _zendesk_shared_session, ajs_anonymous_id, cf_clearance
Analysis and Marketing Cookies
Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.
The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.
Google Analytics & Google Tag Manager
_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>
Google Ads & DoubleClick
test_cookie, _gcl_au