tp-link MAC-Based Authentication Configuration User Guide
- June 6, 2024
- tp-link
Table of Contents
MAC-Based Authentication
Configuration Guide
Overview
MAC-based authentication is an authentication method that controls users’
right to access networks based on their MAC addresses. With MAC-Based
Authentication enabled, the controller takes the wireless clients’ MAC
addresses as their usernames and passwords for authentication when the client
requests internet access for the first time. Clients can access the wireless
networks configured with MAC-based authentication after passing authentication
successfully.
MAC-based authentication method takes effect based on SSID. The MAC address is
used as username and password in the authentication process. When the MAC
address of the device is stored in the RADIUS server database and relevant
configurations are completed on the controller, the device can access the
internet without the need to enter the username and password. Meanwhile,
devices whose MAC addresses are not in the database will be denied. During the
process, the user does not need to manually enter the username or password,
and the wireless devices don’t need to install any client
software.
Example for Mac-based Authentication
Network Requirements
The network administrator wants to give a batch of wireless devices the right
to access the internet.
These devices should be authenticated before getting access to the internet.
For convenience, the authentication process is required to be operated
automatically, and no extra client software is needed on the device. To meet
the requirement, MAC-based authentication is recommended.
Configuration
MAC-based authentication authenticates the devices with their MAC address.
Check the MAC addresses of the devices in advance. FreeRADIUS is used for
demonstration in the configuration of MAC-based authentication with Omada SDN
Controller. The process includes three steps as below.
- Build a RADIUS server.
- Create a wireless network (SSID) and a RADIUS profile on the controller.
- Configure MAC-based authentication on the controller.
Take Omada Software Controller as an example, the network topology is shown as below.
-
Download FreeRADIUS.net and follow the wizard to install it.
-
Right-click the icon to load the following page. Choose Start FreeRADIUS.net Service to start the RADIUS server.
-
Right-click the icon and choose Edit Radius Clients. conf to add an entry for the RADIUS client.
One client section means a RADIUS client. You can choose one of the client sections and edit the following attributes, or add a new client section.
To avoid format error, it is recommended to use a code editor to edit the configuration file.
Notepad++ is used for demonstration in this guide. Edit or add the attributes and save the file.
The First Line| Define the RADIUS client, which is usually a NAS (Network Access Server), in the format of “client [hostname | ip-address]”. Here you should enter the IP addresses of the EAPs.
Note that FreeRADIUS supports entering IP addresses in the format of “IP/mask”, but other RADIUS servers may not support it. Check the supported format first when using other RADIUS servers.
---|---
Secret| Enter the shared key between the RADIUS server and the Controller. The RADIUS server and the Controller use the key string to encrypt passwords and exchange responses.
Shortname| (Optional) Enter a short name to identify the client section. -
Right-click the icon and choose Edit Users to add MAC addresses of the devices into the database.
-
Add the MAC addresses of the devices into the database as username and password. Note that the format of the MAC address should be 12 hexadecimal digits in lowercase without any punctuation or space.
-
Click Restart FreeRaDIUS.net Service to restart FreeRaDIUS.net for the newly edited code to take effect.
-
Go to Settings > Wireless Networks to create a wireless network.
-
Click + Create New Wireless Network to load the following page. Configure the basic parameters for the wireless network, and choose None as the security strategy.
Network Name (SSID )| Enter the network name (SSID) to identify the
wireless network. The MAC-based authentication takes effect based on SSIDs.
---|---
Band| Enable 2.4 GHz and/or 5 GHz radio band for the wireless network.
Guest Network| With Guest Network-enabled, all the clients connecting to
the SSID are blocked from reaching any private IP subnet.
Security| Select the security strategy for the wireless network.
When you want to use the SSID for MAC-based authentication, choose None as the
security strategy, otherwise, a client needs to pass both MAC-based
authentication and the security strategy you choose here before accessing the
internet.
3. Go to Settings > Authentication > RADIUS Profiles to create a RADIUS profile.
4. Click + Create New RADIUS Profile to load the following page. Configure the following parameters.
Name| Enter a name to identify the RADIUS profile.
---|---
Authentication Server IP| Enter the IP address of the authentication
server. Here enter the IP address of the computer on which you install the
freeRADIUS.net.
Authentication Port| Enter the UDP destination port on the
authentication server for authentication requests. Port 1812 is the default
port for RADIUS server authentication, so you can keep it in most cases.
Authentication Password| Enter the password that will be used to
validate the communication between Omada devices and the RADIUS authentication
server. Here enter the secret, namely the shared key you set in the free
radius.
-
Go to Settings > Authentication > MAC-Based Authentication to enable the feature.
-
Configure the following parameters.
SSID| Select one or more SSIDs for MAC-based authentication to take effect.
---|---
RADIUS Profile| Select the RADIUS profile you have created from the drop-down list. The RADIUS profile records the information of the RADIUS server which acts as the authentication server during MAC-based authentication.
MAC-Based
Authentication Fallback| If the wireless network is configured with both MAC-based authentication and portal authentication, when you enable this feature, a wireless client needs to pass only one authentication. The client tries MAC-based authentication first and is allowed to try Portal authentication if it failed the MAC-based authentication.
When you disable this feature as default, a wireless client needs to pass both the MACbased authentication and portal authentication for internet access and will be denied if it fails either of the authentications.
MAC Address Format| Select clients’ MAC address format which the controller uses for authentication. Then the controller will change the MAC addresses in the specified format, and they are used as usernames for the clients on the RADIUS server.
Here in freeRADIUS.net, the MAC addresses are stored in the format of aabbccddeeff (12 hexadecimal digits in lowercase with no punctuation or space).
Empty Password| Click to allow a blank password for MAC-based authentication. With this option disabled, the password will be the same as the username.
Verification of the Configuration
After all configurations are completed, you can follow the steps below to test whether the MAC-based authentication works.
- Search for the wireless network on the device whose MAC address has been added into the database of the RADIUS server.
- Select the SSID which you choose for MAC-based authentication to take effect.
- If the device connects to the SSID and has access to the internet, it means the device has passed the authentication.
Go to Clients and check, if the device is in the client list in the status of Connected, it means the device has passed the authentication.
Omada SDN Controller 4.1.5 or above
19110012900 REV1.0.0
© 2021 TP-Link
February 2021
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>