Can't get WiFi dynamic VLAN assignment to work
I am trying to set up dynamic VLAN assignments on a single SSID but can't get anything to work.
MAC-based authentication is not suitable because I want to have many and arbitrary devices connect into a few sets of VLANs where I won't know the MAC addresses beforehand.
Setup
Device | Hardware revision | Firmware/Software version |
---|---|---|
Controller | Docker | 5.7.4 |
EAP650(EU) | v1.0 | 1.0.3 |
EAP670(EU) | v1.0 | 1.0.3 |
Everything is on the latest version as of now.
Both EAP devices behave exactly the same in all of my tests.
Attempt 1: RADIUS
I tried following https://www.tp-link.com/us/support/faq/3152/ and an awful lot of Googling. The RADIUS authentication is working and shows correctly in both the Omada & FreeRADIUS logs as accepting/rejecting valid/invalid logins.
To my untrained eye, the RADIUS handshake and response looks correct, and has the 3 attributes mentioned in that guide required to make the VLAN assignment work.
And the RADIUS profile has VLAN assignment enabled
I also have the VLANs defined for wired networks. I'm not sure if that matters or not but I've tried not having it defined, having it defined as an interface or a VLAN.
Attempt 2: PPSK
I had 2 issues with this while following https://www.tp-link.com/uk/support/faq/3386/.
- My devices don't seem to support it (yet). If I enable this on either the EAP650 or EAP670 then they stop broadcasting the SSID. I found a thread on Reddit where someone said this means it is not yet supported on my firmware but TP-Link are planning on bringing it to all EAP6xx models at some stage.
- It seems to not support 6 GHz WiFi. I only get the option for PPSK security if I untick 6 GHz. This is not a big problem since none of my current devices support 6 GHz but this may become a problem in the future if it is a limitation of 6 GHz in general when I want to add/upgrade hardware.
Attempt 3: Static VLAN
Just for the purpose of testing, I tried setting a static VLAN for the wireless network and this worked as expected. The AP itself uses untagged packets while client device traffic is tagged as VLAN 7.
This obviously doesn't meet my requirements though, so is not a viable solution unless I go the horrible route of lots of SSIDs.
Questions
- Do my EAP650 & EAP670 devices actually support dynamic VLAN assignment based on RADIUS? I note that the WebUI says only some devices support it and make sure the firmware is the latest, and I see some from Googling around that other features like PPSK & MAC-based RADIUS are quite new and not supported by all devices but I can't find a list of what devices support what features and the WebUI provides no indication that some or all of my APs may not support the features enabled.
- Is there a way for me to further debug this myself in Omada? From the RADIUS side I can check the logs, test auth with radtest/radclient and can look at packet captures to ensure the RADIUS server is working as expected but all I can see in Omada are the Logs/Events that say "X was authenticated with the username Y to AP with SSID ...". Are there debug logs or anything else I can enable to get better diagnostics?
- Is there a way to force VLAN assignment? The WebUI option is to enable it but during my troubleshooting I found lots of people saying that it randomly fails either because of bugs with Omada firmware or misconfiguration or upgrades on the RADIUS server. I don't want devices accidentally or spuriously going untagged.