Search icon Choose location
 
Search icon

How to build an 802.1X access authentication system using Switches on Omada Controller

User Application Requirement
Updated 07-08-2024 02:34:20 AM 112779
This Article Applies to: 

Contents

Objective

Requirements

Introduction

Configuration

Build up a Radius Server

Configure 802.1X on the Controller

Turn on 802.1X authentication for your computer

Conclusion

Objective

This article describes how to set up 802.1X on the Omada Controller and send the configuration to the destination switch for user authentication.

Requirements

  1. Omada Smart / L2+ / L3 series switches
  1. Omada Controller (software Controller / hardware Controller / CBC, v5.9 and above)

Introduction

802.1X access authentication system is widely used in Ethernet environment as a solution to provide authentication access for clients. 802.1X access authentication is based on “port”,which means the access control and AAA authentications for clients is based on the “port” of NAS (Network Access Server). If the client connects to the port of NAS passes the authentication of Radius Server, then the client can get access to the resources belonging to the NAS, but not the other way around.

Note: In this article NAS (Network Access Server) refers to TP-Link switch which acts as 802.1X Authenticator in 802.1X system. Computers or Servers running Radius server software act as 802.1X Authentication server in 802.1X system. Below is the illustration of 802.1X access authentication system.

As shown in the topology below, port 1 of switch is connected to Radius server which provides the authentication for 802.1X supplicant. Port 23 is connected to uplink port which is a router connecting to the Internet. Switch acts as the 802.1X authenticator as well as the NAS for the system. And what we need is a system, which only allows legal users who passed the authentication of Radius Server through switch can get internet access.

Configuration

Build up a Radius Server

This article takes FreeRadius as an example to build up a Radius Server on a local computer.

Step 1. Install FreeRadius on Ubuntu. Freeradius can be installed online with the command sudo apt install freeradius, or from the source file Build with the freeradius installation guide Building FreeRADIUS.

Step 2. Configure clients.conf for FreeRadius. For testing from external machines, edit /etc/freeradius/clients.conf and add an entry. There are many examples and the syntax is easy:

client tplink {

ipaddr = 192.168.0.100

secret = testing123

}

Step 3. Define an user and password. Edit /etc/freeradius/users and create an example user account as the first entry. i.e. at the top of the file, such as:

admin Cleartext-Password := "admin"

Save the configuration of the above file, start FreeRadius server, "Ready to process requests" will appear, which indicates that your freeradius server installation is successful:

Configure 802.1X on the Controller

Step 1. Setting the RADIUS Profile

Log in Controller, go to Settings >Profiles >RADIUS Profile, click Create New RADIUS Profile and edit the Name of the radius server in the name field. Enter the IP address of the radius server in Authentication Server IP and the radius port value in Authentication Port. Enter the shared key of the radius server in Authentication Password. Once the settings are complete, click Save to save the configuration.

Step 2. Configure 802.1X authentication. Go to Settings >Authentication >802.1X to turn on the 802.1X button. In the RADIUS Profile column, select the radius server created in Step 4 and set Authentication Protocol to EAP and Authentication Type to Port Based. Finally, select ports 5-10 and click Save to complete the configuration.

Note: MAC Based indicates any device connected to the corresponding port needs independent authentication before getting access to the network. While Port Based indicates all devices connected to one port can get access to the network as long as one of them has passed the authentication of corresponding port.

Turn on 802.1X authentication for your computer

Step 1. Press the Win+R and enter services.msc

You will see the following screen.

Step 2. Find Wired AutoConfig and click Start to enable 802.1X authentication.

Step 3. Open Network & Network settings and enable 802.1X authentication.

Double-click the NIC to be authenticated:

Click Properties:

You will see the Authentication options bar, click to enter. Tick Enable IEEE 802.1X authentication and select PEAP for network authentication method. Finally, click Settings to configure the PEAP properties.

Disable Verify the server's identity by validating the certificate and select EAP-MSCHAP v2 for Authentication method. Click Configure to enter the EAP MSCHAP v2 properties interface.

Uncheck Automatically use my Windows logon name and password (and domain if any).

Click OK and save the settings. The computer will automatically pop up the following interface, enter the account and password, complete the authentication you can access the Internet. The account and password are set in Step 3.

Conclusion

You have successfully configured 802.1X for switch and are authenticated to access the Internet.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Related FAQs

Is this faq useful?

Your feedback helps improve this site.

Recommend Products

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

From United States?

Get products, events and services for your region.

GO Other Option

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

Basic Cookies

These cookies are necessary for the website to function and cannot be deactivated in your systems.

TP-Link

accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

Livechat

__livechat, __lc2_cid, __lc2_cst, __lc_cid, __lc_cst, CASID

Youtube

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Analysis and Marketing Cookies

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Google Analytics & Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads & DoubleClick

test_cookie, _gcl_au

Facebook

_fbp

Crazy Egg

cebsp_, _ce.s, _ce.clock_data, _ce.clock_event, cebs

Hotjar

OptanonConsent, _sctr, _cs_s, _hjFirstSeen, _hjAbsoluteSessionInProgress, _hjSessionUser_14, _fbp, ajs_anonymous_id, _hjSessionUser_<hotjar-id>, _uetsid, _schn, _uetvid, NEXT_LOCALE, _hjSession_14, _hjid, _cs_c, _scid, _hjAbsoluteSessionInProgress, _cs_id, _gcl_au, _ga, _gid, _hjIncludedInPageviewSample, _hjSession_<hotjar-id>, _hjIncludedInSessionSample_<hotjar-id>

lidc, AnalyticsSyncHistory, UserMatchHistory, bcookie, li_sugr, ln_or