Search icon Choose location
 
Search icon

How to configure 802.1X VLAN Assignment on Omada Controller

Configuration Guide
Updated 08-05-2024 08:29:42 AM FAQ view icon6695
This Article Applies to: 

Contents

Objective

Requirements

Introduction

Configuration

Configuring Access Authentication with Omada Built-in RADIUS

Configuring Access Authentication with FreeRadius

Verification

Conclusion

Objective

This article describes how to configure 802.1X VLAN Assignment authentication using Omada's Built-in RADIUS and external FreeRadius, respectively.

Requirements

  • Omada Smart/ L2+/L3 series switches
  • Omada Controller (Software Controller / Hardware Controller / Cloud-Based Controller, v5.9 and above)

Introduction

802.1X is a network authentication protocol used to authenticate users or devices connecting to the network. VLAN Assignment is a method of grouping network devices by assigning them to different VLANs. This allows for network traffic isolation and improved security. These two technologies are often used together to achieve stricter network access control. The following figure shows a typical topology of a combination of 802.1X and VLAN Assignment technologies.

Configuration

Configuring Access Authentication with Omada Built-in RADIUS

Step 1. Go to Settings > Server Settings in the Global view and enable Built-in RADIUS, then enter the corresponding parameters and Enable Tunneled Reply. Here IP Address refers to the IP address of the Controller.

Step 2. Switch to the target site, go to Settings > Profile > RADIUS Profile, and click Edit.

Click Add New RADIUS User

Select User Authentication for Authentication Type, enter Name, Password, VLAN ID and other parameters, and click Apply to save the configuration.

Step 3. Go to Settings > Authentication > 802.1X, and enable 802.1X. For RADIUS Profile, select Built-in Radius Profile, and then enable VLAN Assignment. Select the ports that require 802.1X authentication, and click Save.

Configuring Access Authentication with FreeRadius

Step 1. Edit the "users" file in the FreeRadius server. Add the user, password and corresponding VLAN ID in the blank space using the vi /etc/freeradius/3.0/users command, as shown below.

Step 2. Go to Settings > Profiles > RADIUS Profile and click Create New RADIUS Profile.

Enter the RADIUS Profile's Name, Authentication Server IP, Authentication Port, and Authentication Password, and then click Save.

Step 3. Go to Settings > Authentication > 802.1X and enable 802.1X. Select the external RADIUS Server created in Step 2 for RADIUS Profile, and then enable VLAN Assignment. Finally, select the ports that require authentication for internet access, and click Save.

Verification

Go to Tools > Terminal and select Device Type as Switch. Choose the switch that has 802.1X authentication enabled under Sources, and then click Open Terminal. In the Terminal interface of the switch, enter the command show dot1x auth-state. You will be able to see that port 1/0/1 has been successfully authenticated, and the client has been assigned to VLAN 2.

Conclusion

You can use VLAN Assignment and 802.1X to enhance your network security.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Related FAQs

Is this faq useful?

Your feedback helps improve this site.

Recommend Products

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

From United States?

Get products, events and services for your region.

GO Other Option

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

Basic Cookies

These cookies are necessary for the website to function and cannot be deactivated in your systems.

TP-Link

accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

Livechat

__livechat, __lc2_cid, __lc2_cst, __lc_cid, __lc_cst, CASID

Youtube

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Analysis and Marketing Cookies

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Google Analytics & Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads & DoubleClick

test_cookie, _gcl_au

Meta Pixel

_fbp

Crazy Egg

cebsp_, _ce.s, _ce.clock_data, _ce.clock_event, cebs

Hotjar

OptanonConsent, _sctr, _cs_s, _hjFirstSeen, _hjAbsoluteSessionInProgress, _hjSessionUser_14, _fbp, ajs_anonymous_id, _hjSessionUser_<hotjar-id>, _uetsid, _schn, _uetvid, NEXT_LOCALE, _hjSession_14, _hjid, _cs_c, _scid, _hjAbsoluteSessionInProgress, _cs_id, _gcl_au, _ga, _gid, _hjIncludedInPageviewSample, _hjSession_<hotjar-id>, _hjIncludedInSessionSample_<hotjar-id>

Linkedin

lidc, AnalyticsSyncHistory, UserMatchHistory, bcookie, li_sugr, ln_or