Can't get WiFi dynamic VLAN assignment to work
Can't get WiFi dynamic VLAN assignment to work
I am trying to set up dynamic VLAN assignments on a single SSID but can't get anything to work.
MAC-based authentication is not suitable because I want to have many and arbitrary devices connect into a few sets of VLANs where I won't know the MAC addresses beforehand.
Setup
Device | Hardware revision | Firmware/Software version |
---|---|---|
Controller | Docker | 5.7.4 |
EAP650(EU) | v1.0 | 1.0.3 |
EAP670(EU) | v1.0 | 1.0.3 |
Everything is on the latest version as of now.
Both EAP devices behave exactly the same in all of my tests.
Attempt 1: RADIUS
I tried following https://www.tp-link.com/us/support/faq/3152/ and an awful lot of Googling. The RADIUS authentication is working and shows correctly in both the Omada & FreeRADIUS logs as accepting/rejecting valid/invalid logins.
To my untrained eye, the RADIUS handshake and response looks correct, and has the 3 attributes mentioned in that guide required to make the VLAN assignment work.
And the RADIUS profile has VLAN assignment enabled
I also have the VLANs defined for wired networks. I'm not sure if that matters or not but I've tried not having it defined, having it defined as an interface or a VLAN.
Attempt 2: PPSK
I had 2 issues with this while following https://www.tp-link.com/uk/support/faq/3386/.
- My devices don't seem to support it (yet). If I enable this on either the EAP650 or EAP670 then they stop broadcasting the SSID. I found a thread on Reddit where someone said this means it is not yet supported on my firmware but TP-Link are planning on bringing it to all EAP6xx models at some stage.
- It seems to not support 6 GHz WiFi. I only get the option for PPSK security if I untick 6 GHz. This is not a big problem since none of my current devices support 6 GHz but this may become a problem in the future if it is a limitation of 6 GHz in general when I want to add/upgrade hardware.
Attempt 3: Static VLAN
Just for the purpose of testing, I tried setting a static VLAN for the wireless network and this worked as expected. The AP itself uses untagged packets while client device traffic is tagged as VLAN 7.
This obviously doesn't meet my requirements though, so is not a viable solution unless I go the horrible route of lots of SSIDs.
Questions
- Do my EAP650 & EAP670 devices actually support dynamic VLAN assignment based on RADIUS? I note that the WebUI says only some devices support it and make sure the firmware is the latest, and I see some from Googling around that other features like PPSK & MAC-based RADIUS are quite new and not supported by all devices but I can't find a list of what devices support what features and the WebUI provides no indication that some or all of my APs may not support the features enabled.
- Is there a way for me to further debug this myself in Omada? From the RADIUS side I can check the logs, test auth with radtest/radclient and can look at packet captures to ensure the RADIUS server is working as expected but all I can see in Omada are the Logs/Events that say "X was authenticated with the username Y to AP with SSID ...". Are there debug logs or anything else I can enable to get better diagnostics?
- Is there a way to force VLAN assignment? The WebUI option is to enable it but during my troubleshooting I found lots of people saying that it randomly fails either because of bugs with Omada firmware or misconfiguration or upgrades on the RADIUS server. I don't want devices accidentally or spuriously going untagged.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@Hank21 Any update concerning the new Firmware without bugs?
- Copy Link
- Report Inappropriate Content
@JoeSea Where can you see a new firmware?
- Copy Link
- Report Inappropriate Content
@Spryde I have it on my Omada Devices page. I have new updates for 650(US) and 615-Wall(US). I'm running an OC200 with v5.7.
650 new firmware 1.0.6 Build 20220921 Rel. 73404
615-Wall new firmware 1.1.3 Build 20220921 Rel. 73949
I don't know why these firmwares are not showing on the support pages yet, that is an odd thing.
- Copy Link
- Report Inappropriate Content
@JoeSea This firmware version was already released by beginning of december 22 as you can see here:
https://www.tp-link.com/de/support/download/eap650/v1/#Firmware
And it is not working as supposed.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@bsz So that is odd, the global and US sites pulled the 1.0.6 firmwares. The Global site does now show the firmware with the old date, but it was not there earlier this week. And as of today, the US site is still not showing the firmware. So TPLink has done something with the firmware, but not changed its rev number, or build date (I don't recall what the older build number was). So far this rerelease is working, so perhaps in the firmware release there is an install script that needed changing, that dosen't really change the underlying AP firmware code.
- Copy Link
- Report Inappropriate Content
I've installed the 1.0.6 firmware on both EAP650 & EAP670 and can confirm that the dynamic VLAN assignment with RADIUS is working now as I expect and the weird management VLAN issue I was having is no longer happening.
I've given it a bit of a test but far from extensive and not found any issues. Perhaps there's some other issue with the firmware that is holding them back from making the release fully available but at least for now it's working for me.
I got the firmware from the support website https://www.tp-link.com/au/support/download/eap650/v1/#Firmware & https://www.tp-link.com/au/support/download/eap670/v1/#Firmware (which is for AU version of rev1.0 hardware for both models).
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 2888
Replies: 18
Voters 0
No one has voted for it yet.