How to build an 802.1X access authentication system using Switches on Omada Controller
Contents
Configure 802.1X on the Controller
Turn on 802.1X authentication for your computer
This article describes how to set up 802.1X on the Omada Controller and send the configuration to the destination switch for user authentication.
- Omada Smart / L2+ / L3 series switches
- Omada Controller (software Controller / hardware Controller / CBC, v5.9 and above)
802.1X access authentication system is widely used in Ethernet environment as a solution to provide authentication access for clients. 802.1X access authentication is based on “port”,which means the access control and AAA authentications for clients is based on the “port” of NAS (Network Access Server). If the client connects to the port of NAS passes the authentication of Radius Server, then the client can get access to the resources belonging to the NAS, but not the other way around.
Note: In this article NAS (Network Access Server) refers to TP-Link switch which acts as 802.1X Authenticator in 802.1X system. Computers or Servers running Radius server software act as 802.1X Authentication server in 802.1X system. Below is the illustration of 802.1X access authentication system.
As shown in the topology below, port 1 of switch is connected to Radius server which provides the authentication for 802.1X supplicant. Port 23 is connected to uplink port which is a router connecting to the Internet. Switch acts as the 802.1X authenticator as well as the NAS for the system. And what we need is a system, which only allows legal users who passed the authentication of Radius Server through switch can get internet access.
This article takes FreeRadius as an example to build up a Radius Server on a local computer.
Step 1. Install FreeRadius on Ubuntu. Freeradius can be installed online with the command sudo apt install freeradius, or from the source file Build with the freeradius installation guide Building FreeRADIUS.
Step 2. Configure clients.conf for FreeRadius. For testing from external machines, edit /etc/freeradius/clients.conf and add an entry. There are many examples and the syntax is easy:
client tplink {
ipaddr = 192.168.0.100
secret = testing123
}
Step 3. Define an user and password. Edit /etc/freeradius/users and create an example user account as the first entry. i.e. at the top of the file, such as:
admin Cleartext-Password := "admin"
Save the configuration of the above file, start FreeRadius server, "Ready to process requests" will appear, which indicates that your freeradius server installation is successful:
Configure 802.1X on the Controller
Step 1. Setting the RADIUS Profile
Log in Controller, go to Settings >Profiles >RADIUS Profile, click Create New RADIUS Profile and edit the Name of the radius server in the name field. Enter the IP address of the radius server in Authentication Server IP and the radius port value in Authentication Port. Enter the shared key of the radius server in Authentication Password. Once the settings are complete, click Save to save the configuration.
Step 2. Configure 802.1X authentication. Go to Settings >Authentication >802.1X to turn on the 802.1X button. In the RADIUS Profile column, select the radius server created in Step 4 and set Authentication Protocol to EAP and Authentication Type to Port Based. Finally, select ports 5-10 and click Save to complete the configuration.
Note: MAC Based indicates any device connected to the corresponding port needs independent authentication before getting access to the network. While Port Based indicates all devices connected to one port can get access to the network as long as one of them has passed the authentication of corresponding port.
Turn on 802.1X authentication for your computer
Step 1. Press the Win+R and enter services.msc
You will see the following screen.
Step 2. Find Wired AutoConfig and click Start to enable 802.1X authentication.
Step 3. Open Network & Network settings and enable 802.1X authentication.
Double-click the NIC to be authenticated:
Click Properties:
You will see the Authentication options bar, click to enter. Tick Enable IEEE 802.1X authentication and select PEAP for network authentication method. Finally, click Settings to configure the PEAP properties.
Disable Verify the server's identity by validating the certificate and select EAP-MSCHAP v2 for Authentication method. Click Configure to enter the EAP MSCHAP v2 properties interface.
Uncheck Automatically use my Windows logon name and password (and domain if any).
Click OK and save the settings. The computer will automatically pop up the following interface, enter the account and password, complete the authentication you can access the Internet. The account and password are set in Step 3.
You have successfully configured 802.1X for switch and are authenticated to access the Internet.
Get to know more details of each function and configuration please go to Download Center to download the manual of your product.
Is this faq useful?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.