@pauld123 

Hi,

Omada Controller and EAP don't support dynamic VLAN. When we configure SSIDs, we can set VLAN for each SSID. In this situation, our clients will belong to different VLANs when connecting to different SSIDs. So why do you want dynamic VLAN on the Omada Controller and EAP?

About the second question, we can use a signal RADIUS server for both SSIDs. You just input the IP of the server and that will be ok. 

@forrest Yes, I am currently trying to get it all working using two SSIDs with different VLANs. Not too much of a problem for me because I only need 2 or possibly 3 different VLANs, however, if you needed more it would get a pain to keep setting up SSIDs for each VLAN. As RADIUS appears to have the option to configure a VLAN for a user, it would be nice to just be able to exploit that.

More of a problem is the RADIUS config when using two SSIDs with the same RADIUS server. I'm not using the external radius as shown in your example, I am using WPA2-Enterprise to connect to the RADIUS, because I want the encryption on the connection. I have both SSIDs pointing at the same freeradius server. I have managed to pull out the SSID that is being connected to on the freeradius side of things, but then I need to restrict which users can connect to each SSID. There is no point just connecting two SSIDs to a single radius server, and allowing all users to be able to connect to both SSIDs! I need to only allow a subset of users to connect to each SSID. I've been trying to get that working for multiple hours, getting closer to get it working, but still not there. That of course is a freeradius config issue, nothing to do with TP-Link... but if I could have just passed back the VLAN from freeradius to Omada/EAP then it would have probably been a whole lot easier.

Thanks

Paul

@forrest a reason for dynamic vlan is the limitation to 8 ssid's and just for security reasons. Dynamic VLAN is a common configuration and not an exotic voodoo thing. 

We also just bought a lot EAP devices to extend our network and just recognized, that dynamic VLAN is not working. Also we cannot reduce our VLANs to a value, that allows to assign each vlan to one ssid. It is not only an administrative pain, it will compromize our security model.

After SSHing to an EAP225, I recognized how the network stack seem to work and that each ssid is assigned to a virtual ath device. Therefore dynamic vlan cannot work, because of missing bridge capabilities and kernel limitations and some other stuff. In a popular OpenSource firmware, we solved this a long time ago by limiting the possible dynamic vlan usecase to one single ssid and creating a virtual bridge, not a virtual interface, inherting possible vlans. Therefore dynamic vlan can work on a single ssid, solving some thousand problems at different kind of usecases, which are in need of dynamic vlan capabilities.

Today, dynamic vlan is a must have, not a maybe - lets think about it - feature.

It could not be a solution, to have 20 or more ssid's, bound to static vlan ids.

An easy way exists, which has just to be gone. And if not, the keyword is "ShopReturnService". Fortunally, in germany we could return our goods up to 30 days and for just a few Euros more, there are devices with similar capabilities, which support dynamic vlan. Hopefully, TP-Link will not make the same mistake as of their Archer C7, where anything after V2 has less features and capabilities than their predecessor, ignoring what customers really wanted and said.

What about current Omada 4.1.5 release? Is it possible to use dynamic VLANs? If not when will it be available?

@pauld123 

hello,

anyone solve this issue?

thanks

Marco