Dynamic VLAN with Omada Controller and EAP225

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Dynamic VLAN with Omada Controller and EAP225
Dynamic VLAN with Omada Controller and EAP225
2019-11-06 12:54:32
Model: EAP225
Hardware Version: V3
Firmware Version:

I'm trying to set up a wireless network where I would like to assign different access rights to the network for a couple of groups of users. I would like to use RADIUS for the authentication. As far as I can tell, it isn't possible to use a dynamic VLAN assigned by the RADIUS server with the Omada Controller/EAP225, is that correct? Seems like it would be a really useful feature to add to a future update!

If I can't use a dynamic VLAN, I could of course use different SSIDs for each group, each with their own VLAN assigned in the controller, however, is it possible to then use a single RADIUS server for both SSIDs, and only allow appropriate users access each SSID. I can't see how to configure the RADIUS server to pick up which SSID the access is coming from, and therefore only allow user1 on ssid1 and user2 on ssid2, but have them both in the same RADIUS. Anyone know how to do this, or got some pointers?

 

I'm using freeradius (running on pfSense).

 

Thanks

Paul

0
0
#1
Options
5 Reply
Re:Dynamic VLAN with Omada Controller and EAP225
2019-11-08 00:50:26

@pauld123 

 

Hi,

 

Omada Controller and EAP don't support dynamic VLAN. When we configure SSIDs, we can set VLAN for each SSID. In this situation, our clients will belong to different VLANs when connecting to different SSIDs. So why do you want dynamic VLAN on the Omada Controller and EAP?

 

About the second question, we can use a signal RADIUS server for both SSIDs. You just input the IP of the server and that will be ok. 

 

 

0
0
#2
Options
Re:Dynamic VLAN with Omada Controller and EAP225
2019-11-08 10:00:30

@forrest Yes, I am currently trying to get it all working using two SSIDs with different VLANs. Not too much of a problem for me because I only need 2 or possibly 3 different VLANs, however, if you needed more it would get a pain to keep setting up SSIDs for each VLAN. As RADIUS appears to have the option to configure a VLAN for a user, it would be nice to just be able to exploit that.

 

More of a problem is the RADIUS config when using two SSIDs with the same RADIUS server. I'm not using the external radius as shown in your example, I am using WPA2-Enterprise to connect to the RADIUS, because I want the encryption on the connection. I have both SSIDs pointing at the same freeradius server. I have managed to pull out the SSID that is being connected to on the freeradius side of things, but then I need to restrict which users can connect to each SSID. There is no point just connecting two SSIDs to a single radius server, and allowing all users to be able to connect to both SSIDs! I need to only allow a subset of users to connect to each SSID. I've been trying to get that working for multiple hours, getting closer to get it working, but still not there. That of course is a freeradius config issue, nothing to do with TP-Link... but if I could have just passed back the VLAN from freeradius to Omada/EAP then it would have probably been a whole lot easier.

 

Thanks

Paul

0
0
#3
Options
Re:Dynamic VLAN with Omada Controller and EAP225
2019-12-14 00:54:25

@forrest a reason for dynamic vlan is the limitation to 8 ssid's and just for security reasons. Dynamic VLAN is a common configuration and not an exotic voodoo thing. 

 

We also just bought a lot EAP devices to extend our network and just recognized, that dynamic VLAN is not working. Also we cannot reduce our VLANs to a value, that allows to assign each vlan to one ssid. It is not only an administrative pain, it will compromize our security model.

 

After SSHing to an EAP225, I recognized how the network stack seem to work and that each ssid is assigned to a virtual ath device. Therefore dynamic vlan cannot work, because of missing bridge capabilities and kernel limitations and some other stuff. In a popular OpenSource firmware, we solved this a long time ago by limiting the possible dynamic vlan usecase to one single ssid and creating a virtual bridge, not a virtual interface, inherting possible vlans. Therefore dynamic vlan can work on a single ssid, solving some thousand problems at different kind of usecases, which are in need of dynamic vlan capabilities.

 

Today, dynamic vlan is a must have, not a maybe - lets think about it - feature.

 

It could not be a solution, to have 20 or more ssid's, bound to static vlan ids.

 

An easy way exists, which has just to be gone. And if not, the keyword is "ShopReturnService". Fortunally, in germany we could return our goods up to 30 days and for just a few Euros more, there are devices with similar capabilities, which support dynamic vlan. Hopefully, TP-Link will not make the same mistake as of their Archer C7, where anything after V2 has less features and capabilities than their predecessor, ignoring what customers really wanted and said.

 

 

0
0
#4
Options
Re:Dynamic VLAN with Omada Controller and EAP225
2020-09-27 19:40:53

What about current Omada 4.1.5 release? Is it possible to use dynamic VLANs? If not when will it be available?

0
0
#5
Options
Re:Dynamic VLAN with Omada Controller and EAP225
2021-03-23 15:55:23

@pauld123 

hello,

 

anyone solve this issue?

 

thanks

Marco

0
0
#6
Options