How to configure MAC-Based Authentication on Omada Controller

Contents

Objective

Requirements

Introduction

Configuration with External Radius Server

Configuration with Built-in RADIUS of Omada Controller

Verification

Conclusion

FAQ

Objective

This article introduces how to configure MAC-Based Authentication for wireless clients using an external radius server or the Built-in RADIUS of the Omada Controller, ensuring that only clients with authorized MAC addresses are granted network access.

Requirements

• Omada AP
• Omada Controller (Software Controller / Hardware Controller / Could-based Controller)
• External Radius Server

Introduction

MAC-Based Authentication is designed to control network access based on a device’s port and MAC address. To pass this authentication, a client’s MAC address should be registered on the Radius Server beforehand, with no additional client-side software required. The authentication process is seamless for users, since they do not need to manually enter the username and password, which greatly improves the wireless network access experience. With this function, you can control which clients can access the wireless network, reducing the risk of network intrusion and data theft.

In the Omada Controller, the feature is only applicable to wireless clients, so it can be regarded as Wireless MAC-Based Authentication. When a client tries to connect to an SSID configured with MAC-Based Authentication, the access point (AP), as a RADIUS client, converts the client's MAC address into a specified format and then sends it as the username and password to the RADIUS server. If the server recognizes the MAC address as authorized, it will inform the AP and the client will be given access to network resources.

You can use either the Built-in RADIUS server of the Omada Controller, or an external RADIUS server according to your needs. This guide will use EAP660 HD v1 and Omada Software Controller v5.14.30.7 to demonstrate how to configure MAC-Based Authentication using both methods. For the configuration through the external RADIUS server, FreeRADIUS installed on the CentOS system will be used as an example.

• CentOS version: centos-release-7-5.1804.el7.centos.×86_64
• FreeRADIUS version: FreeRADIUS Version 3.0.13

Note:

• When configuring MAC-Based Authentication with External Radius Server selected on Omada Software Controller v5.14 and above, you can add up to 4 RADIUS servers to increase fault tolerance. When one server becomes unavailable, the system can automatically switch to another server to complete the authentication. Make sure that this function is supported on the AP you are using. To verify this, refer to the Release Note on the device’s firmware update on TP-Link’s official website.
• The Omada Cloud-Based Controller (CBC) does not support the built-in RADIUS server. The built-in RADIUS will be removed from OC200 v5.15 model, but will continue to be available on the Omada Software Controller and other hardware controllers.
• Because the MAC addresses of authorized clients must be registered in the RADIUS server, MAC-Based Authentication is a bit complex to manage. When the administrator wants to add/replace/remove a client, the authentication list must be updated, which reduces network flexibility. Thus, you can combine MAC-Based Authentication with other methods, such as WPA/WPA2/WPA3 and portal authentication for all-round network security.

Configuration with External Radius Server

Step 1. Add multiple authorized clients in FreeRADIUS.

Open the CentOS system with FreeRADIUS installed and go to the Command Line Interface (CLI), edit and save the users file to add the MAC addresses of the authorized clients as shown in the following figure. You can add clients with two methods, via the Cleartext-Password attribute and the Auth-Type attribute. However, do not mix the two configurations.

• Via the Cleartext-Password attribute: The format is MAC address Cleartext-Password := “MAC address”

• Via the Auth-Type attribute: The format is MAC address Auth-Type := Accept

Note: When adding clients via the Cleartext-Password attribute, do not enable Empty Password in Step 7. If you do so, clients will not pass the authentication.

Step 2. Restart FreeRADIUS

After editing and saving the user file, run the following two commands on the CLI to restart FreeRADIUS and ensure that the configuration takes effect:

service radiusd stop

radius –X

Note: The specific CLI commands you need to enter in this step vary based on your Linux system. The preceding two commands apply only to the environment in this article.

Step 3. Log in to the Controller, go to Settings > Wireless Network > WLAN, and click Create New Wireless Network.

Step 4. Set parameters or options such as Network Name (SSID) / Band / Security. You may click on Advanced Settings to adjust more advanced configuration items according to your needs, and then click on Apply button.

Step 5. Go to Settings > Profiles > RADIUS Profile to click Create New RADIUS Profile.

Step 6. Enter Name, Authentication Server IP/URL, Authentication Port and Authentication Password. Meanwhile, if your AP supports multiple Radius Servers, you can click Add New Authentication Server to complete the settings of the several other Radius Servers, then click Save. The relevant parameters are described as follows:

• Authentication Server IP/URL: The IP address or the URL of your Radius Server for authentication.
• Authentication Port: The UDP destination port on the Radius Server for authentication requests.
• Authentication Password: The password configured in clients.conf file of FreeRADIUS that will be used to validate the communication between Omada APs and the Radius Server.

Step 7. Go to Settings > Authentication > MAC-Based Authentication to tick MAC-Based Authentication and select the target SSID and the RADIUS Profile created in the above steps. Set the other configurations (NAS ID / MAC-Based Authentication Fallback / Empty Password) and choose the MAC Address Format based on your needs, but it must be consistent with the MAC address format that you entered in the Radius Server.

Note:

• NAS ID: Configure a Network Access Server Identifier (NAS ID) for authentication. Authentication request packets from the AP to the RADIUS server carry the NAS ID. The Radius server can classify users into different groups based on the NAS ID. Then choose different policies for different groups. When it’s empty, NAS ID is TP-Link_AP’s Model_AP’s MAC_NAS by default, such as TP-Link_EAP660 HD_xx-xx-xx-xx-xx-xx_NAS.
• MAC-Based Authentication Fallback: For wireless networks configured with both MAC-Based Authentication and Portal, if you enable this feature, a wireless client needs to pass only one authentication. The client tries MAC-Based Authentication first, and is allowed to try Portal authentication if it failed the MAC-Based Authentication. If you disable this feature as default, a wireless client needs to pass both the MAC-Based Authentication and portal authentication for internet access, and will be denied if it fails either of the authentications.
• Empty Password: With this option enabled, the password used for authentication will be blank. Otherwise, the password will be the same as the username which is the client’s MAC address.

Configuration with Built-in RADIUS of Omada Controller

Step 1. Go to Global View’s Settings > Sever Settings to enable Built-in RADIUS and set the Server Address Type, Secret and Authentication Port properly according to your own needs. Then you will see that Status changes from Disabled to Running.

• Server Address Type: When the Controller is on a computer with multiple network adapters, and the type is configured as Auto, the server address will be sent to the device according to the ports connected to the device; when the type is configured as Manually, the user needs to manually configure the server's IP address, which should be the address the device can communicate with.
• Secret: RADIUS server key.
• Authentication Port: RADIUS server authentication port.

Step 2. Log in Controller, go to Settings > Wireless Network > WLAN to click Create New Wireless Network.

Step 3. Set parameters or options such as Network Name (SSID) / Band / Security. You may click on Advanced Settings to adjust more advanced configuration items according to your needs. Then click Apply.

Step 4. Go to Settings > Profiles > RADIUS Profile to edit Built-in Radius Profile.

Step 5. Click Add New RADIUS User, select Authentication Type as MAC Authentication, enter the client’s MAC address in a proper format, and then click Apply.

Step 6. Go to site’s Settings > Authentication > MAC-Based Authentication to tick MAC-Based Authentication and select the target SSID. Choose Built-in RADIUS Profile as the RADIUS Profile. Set the other configurations (NAS ID / MAC-Based Authentication Fallback / Empty Password) and choose the MAC Address Format based on your needs, but note that it must be consistent with the MAC address format that you entered in the Built-in RADIUS Profile.

Note:

• NAS ID: Configure a Network Access Server Identifier (NAS ID) for authentication. Authentication request packets from the AP to the RADIUS server carry the NAS ID. The Radius server can classify users into different groups based on the NAS ID, and then choose different policies for different groups. When it’s empty, NAS ID is TP-Link_AP’s Model_AP’s MAC_NAS by default, such as TP-Link_EAP660 HD_xx-xx-xx-xx-xx-xx_NAS.
• MAC-Based Authentication Fallback: For the wireless network configured with both MAC-Based Authentication and Portal, if you enable this feature, a wireless client needs to pass only one authentication. The client tries MAC-Based Authentication first, and is allowed to try Portal authentication if it failed the MAC-Based Authentication. If you disable this feature as default, a wireless client needs to pass both the MAC-Based Authentication and portal authentication for internet access, and will be denied if it fails either of the authentications.
• Empty Password: With this option enabled, the password used for authentication will be blank. Otherwise, the password will be the same as the username which is the client’s MAC address.

Verification

To verify the configuration, connect the two clients whose MAC addresses were registered in the RADIUS server to the corresponding SSID. If the two clients can connect to the SSID and access the internet, while others cannot, this indicates a successful configuration.

Conclusion

Now you have learned how to configure and verify MAC-Based Authentication. Please select an appropriate RADIUS server according to your actual situation. You can use other authentication methods such as WPA/WPA2/WPA3 and portal authentication for comprehensive network security.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

FAQ

1. What is the authentication priority when WPA, MAC-Based Authentication, and Portal Authentication are all enabled?

Re. MAC Authentication > WPA Authentication > Portal Authentication.

2. What is the authentication priority between MAC-Based Authentication and MAC Filter?

Re. MAC Filter has a higher priority than MAC-Based Authentication. That is, if a client's MAC address is in the Deny List of MAC Filter, it will be unable to connect to the SSID even if it is registered for MAC-Based Authentication.