tp-link Omada SDN Controller User Guide
- June 5, 2024
- tp-link
Table of Contents
tp-link Omada SDN Controller
Product Information
Specifications
- Supports PPSK without RADIUS and PPSK with RADIUS
- Configuration via Omada SDN Controller
- 6 GHz band does not support PPSK with/without RADIUS for Security
Product Usage Instructions
2.1 Configure PPSK without RADIUS
For PPSK without RADIUS, follow these steps:
- Create a PPSK Profile on the Omada Controller.
- Create a New Wireless Network with PPSK without RADIUS.
2.1.1 Create a PPSK Profile on the Omada Controller
- Launch your Omada Controller, select a site from the drop-down list of Organization in the top-right corner, and go to Settings > Profiles > PPSK.
- Click +Create New PPSK Profile. Enter a name for the new profile.
- Add new entries in the PPSK profile or import entries from a file.
- Apply the changes to save the profile.
2.1.2 Create New Wireless Network with PPSK without RADIUS
- Go to Settings > Wireless Networks. Click +Create New Wireless Network.
- Enter the SSID and choose PPSK without RADIUS for Security. Select the PPSK profile created.
- Configure advanced settings based on your needs and click Apply.
2.2 Configure PPSK with RADIUS
For PPSK with RADIUS, you need to create Network Access Servers\ in the RADIUS server to allow EAPs to submit authentication requests.
FAQ
Q: What should I do if the EAPs do not broadcast the SSID with PPSK?
A: Ensure that the current firmware version of your EAPs supports PPSK with/without RADIUS. If not, update the firmware to enable broadcasting of the SSID.
Overview
A private Pre-Shared Key (PPSK for short) is a security solution in which individual client devices can be managed without much complexity. With PPSK configured, each user is assigned a unique passphrase for authentication of the same SSID. Also, it allows the binding of a passphrase and the device MAC address(es), and thus only the specified device(s) can be authenticated using the passphrase. You can create PPSK lists and apply them to multiple wireless networks, saving you from repeatedly setting up the same information. The Omada SDN Controller supports two types of PPSK, PPSK without RADIUS and PPSK with RADIUS. This configuration guide will introduce how to configure PPSK without RADIUS and PPSK with RADIUS via the Omada SDN Controller.
Before configuration, please note the following:
- The 6 GHz band does not support PPSK with/without RADIUS for Security. Please uncheck the 6 GHz to configure the PPSK function.
- Please make sure the current firmware version of your EAPs supports PPSK with/without RADIUS. Otherwise, the EAP will not broadcast the SSID with PPSK with/without RADIUS, leading to the failure of users to detect the SSID on either frequency band.
Configure PPSK via the Omada SDN Controller
Configure PPSK without RADIUS
For PPSK without RADIUS, you can just create PPSK profiles on the Omada SDN Controller.
The configuration overview is as follows:
- Create a PPSK Profile on the Omada Controller.
- Create a New Wireless Network with PPSK without RADIUS.
Create a PPSK Profile on the Omada Controller
- Launch your Omada Controller, select a site from the drop-down list of Organization in the top-rightcorner, and go to Settings > Profiles > PPSK.
- Click +Create New PPSK Profile. Enter a name for the new profile.
- Click Add to add new entries in the PPSK profil or click Import to import entries in batches from a file.
-
To add new entries manually, follow these steps:
-
Click Add and choose Manually for PPSK Generation.
-
Enter a name to identify the created PPSK entry and a passphrase that the client will use for authentication.
You can bind the PPSK to a specific MAC address so that only the client of this MAC address can use the passphrase for authentication. You can also set the VLAN ID, so the client using the passphrase for authentication will be assigned to the specified VLAN. MAC address and VLAN ID settings are optional.
Note:
To enable VLAN Assignment, you should create VLAN interfaces first (refer to 2.3 Create Interfaces for VLAN Assignments (Optional)). -
To add more entries, click Add New PPSK and set the parameters accordingly.
-
Click Apply and the entries created will be shown in the profile.
-
-
Auto PPSK generation will help you easily create multiple PPSK entries at a time. To add new entries automatically, follow these steps:
- Click Add and choose Auto for PPSK Generation.
- Specify the number of PPSK you want to created, the prefix of the PPSK name, and the length of the passphrase. Assign the clients using these PPSKs to the specific VLAN according to your needs.
- Click Apply and the spcific numbler of ppsk entries with random passphrases will be automatically created and shown in the profile.
-
To import entries in batches from a file, follow these steps:
- Click Import.
- Click template to download the PPSK entry template. Fill in the template with the PPSK information based on your own needs and save the spreadsheet.
- Click Browse on the Controller and choose the ppsk entries file created in step 2). Click Import and the ppsk entries specified in the spreadsheet will be created and shown in the profile.
- On the PPSK Profile page, click Apply to save your configuration.
Create New Wireless Network with PPSK without RADIUS
- Go to Settings > Wireless Networks. Click +Create New Wireless Network
- Enter the SSID and choose PPSK without RADIUS for Security. Choose the PPSK profile created. Other advanced settings can be configured based on your own needs.
- Click Apply. The SSID “PPSK without RADIUS” has been created under the WLAN Group.
Configure PPSK with RADIUS
For PPSK with RADIUS, here are a few points to note.
- EAP works as a Network Access Server (NAS). Thus, you need to first create Network Access Servers (or RADIUS clients) in the RADIUS server to allow the EAPs to submit authentication requests.
- When a user connects to the SSID, the EAP will submit the User-Name (the MAC address of the user) and User-Password to the RADIUS server for authentication.
The configuration overview is as follows
- Set Up a RADIUS Server
- Create a RADIUS Profile.
- Create a New Wireless Network with PPSK with RADIUS.
Set Up a RADIUS Server
- Run a RADIUS server. Here we use the FreeRADIUS® server on a Linux server as an example.
- Edit the “clients.conf” file. Assume that the EAPs are located in the network 192.168.0.0/24, and the shared secret used for communication between the EAPs and the RADIUS server is “tplink”.
- Edit the “users” file as follows.
When the user with the MAC address “00:66:19:8a:06:37” attempts to connect to the SSID, it will need to submit “123_tplink” as the password to be authenticated. When the user with the MAC address “d0:a6:37:83:da:99” uses the password “456_tplink”, it will be authenticated and connected to the network of VLAN 10. When the user with an unknown MAC address submits the default password “789_tplink”, it will be connected to the network of VLAN 20.
Note:
- The MAC address can have different formats and the NAS will send the MAC address in the specific format set in the Controller. Here we use the default format of “aa:bb:cc:dd:ee:ff”.
- The tunnel-password should range from 8 to 63 characters
Create a RADIUS Profile
-
Launch your Omada Controller, select a site from the drop-down list of Organization in the top-right corner, and go to Settings > Profiles > RADIUS Profile. There is already a built-in RADIUS profile (for Software/Hardware Controller only). To configure PPSK, you need to create a new RADIUS profile
-
Click +Creat New RADIUS Profile. Enter a name for the new profile. Check Enable VLAN Assignment for Wireless Network if necessary.
Note:
The VLAN Assignment feature allows the RADIUS server to assign a wireless user into the specific VLAN based on the credentials supplied by the user. To use the feature, you should create VLAN interfaces first (refer to 2.3 Create Interfaces for VLAN Assignments (Optional)), and the user-to- VLAN mappings must be already stored in the RADIUS server database. -
Enter the IP address of the RADIUS authentication server, the UDP destination port on the authentication server for authentication requests, and the password (shared secret) that will be used to validate the communication between network devices (EAPs) and the RADIUS authentication server
-
Save your settings and a new RADIUS profile will be created.
Create New Wireless Network with PPSK with RADIUS
- Go to Settings > Wireless Networks. Click +Create New Wireless Network.
- Enter the SSID and choose PPSK with RADIUS for Security. Choose the RADIUS profile created and the Authentication Type. Enter the NAS ID based on your own needs. This field is optional. Choose the MAC address format. The default format is “aa:bb:cc:dd:ee:ff”. Other advanced settings can be configured based on your own needs.
- Authentication Type Generic Radius with bound MAC: This type needs to specify device MAC addresses.
- EKMS: The EKMS (Eleven Key Matching Service) authentication type is used to connect to the ElevenOS server.
- Generic Radius with unbound MAC: This type does not need to specify device MAC addresses.
- Note: All authentication types are available on the Omada Controller (version 5.14.20 or above) and the Omada Pro Controller.
- Click Apply to save your configuration. The SSID “PPSK with RADIUS” has been created under the WLAN Group.
Note:
- The Controller will convert the MAC address into the selected format and uses it as the username and password to request RADIUS access for authentication.
Create Interfaces for VLAN Assignments (Optional)
- Go to Settings > Wired Networks > LAN and click +Create New LAN.
- Enter a name for the LAN, choose Interface for the Purpose, and enter the VLAN ID. Enter the IP address and subnet mask of the default gateway
- Other settings can be kept by default or configured according to your own needs. Click Save to create the interface. More interfaces can be created through the same process
Test the Configuration
After completing the PPSK configuration, you can test whether the SSIDs work normally. Follow these steps to test the PPSK configuration in the SSIDs:
- Test the SSID “PPSK without RADIUS”.
- Test the SSID “PPSK with RADIUS”.
Test the SSID “PPSK without RADIUS”
According to the following PPSK profile, test the SSID “PPSK without RADIUS“ with these steps
- Connect the mobile phone with the MAC address 00:66:19:8a:06:37 to the SSID “PPSK without RADIUS” by using the passphrase “123_tplink”. The phone is successfully connected to the wireless network and its IP address is assigned within the default LAN network (192.168.0.103).
- Connect the mobile phone with the MAC address a8:fe:9d:c3:a1:c0 to the same SSID by using the passphrase “456_tplink”. The phone is successfully connected to the wireless network and its IP address is assigned within the VLAN 10 network (192.168.10.7).
- Connect the mobile phone with an unknown MAC address to the same SSID by using the passphrase “789_tplink”. The phone is successfully connected to the wireless network and its IP address is assigned within the VLAN 20 network (192.168.20.5).
Test the SSID “PPSK with RADIUS”
According to the following RADIUS server settings, test the SSID “PPSK with RADIUS“ with these steps:
- Connect the mobile phone with the MAC address 00:66:19:8a:06:37 to the SSID “PPSK with RADIUS” by using the passphrase “123_tplink”. The phone is successfully connected to the wireless network and its IP address is assigned within the default LAN network (192.168.0.103).
- Connect the mobile phone with the MAC address d0:a6:37:83:da:99 to the same SSID by using the passphrase “456_tplink”. The phone is successfully connected to the wireless network and its IP address is assigned within the VLAN 10 network (192.168.10.8).
- Connect the mobile phone with an unknown MAC address to the same SSID by using the passphrase “789_tplink”. The phone is successfully connected to the wireless network and its IP address is assigned within the VLAN 20 network (192.168.20.4).
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>