Dynamic VLAN assignement with Radius authentication
Hi everyone,
I have a small network of twenty something clients, spread evenly between wired and wireless connection. Switch is TL-SG2008P v3.0 and EAP is EAP653(EU) v1.0 both adopted by a software based controler (ver. 5.9.9 at the time this is posted). Some other brands managed switches are daisy chained to the TL-SG2008P on some ports. Router is pfsense, which manages DHCP, VLANS and rules.
Four VLANs are configured, for managing the network and access segregation.
In a first setup, each wired client is assigned a VLAN though either the TL-SG2008P or a managed switch. Four SSIDs are created, each being assigned a VLAN.
Everything works perfectly.
However, i do not like having multiple SSIDs, which i find inelegant, and difficult to explain to users.
I guessed that some form of Dynamic VLAN attribution would be ideal. After some research, i learned about Radius authentication and 802.1x.
In a second setup, a Freeradius server is created within the router (pfsense), each switch and EAP is identified as a client to the Freeradius server,. The switches are configured with 802.1x. The EAP is configured to emit only one SSID with Radius identification and dynamic VLAN assignement.
Identification works flawlessly for each user created within the Freeradius server. However, there is an issue with VLAN assignement.
Despite each user being assigned a VLAN within freeradius, the VLAN are not queried either by the switch nor by the EAP when requesting an IP adress. I can monitor both the request for authentication and the response by the Freeradius server. Users are authenticated upon request, and the response comprises the VLAN to be assigned to the user.
However the DHCP request emitted by the EAP or the switch is lacking any VLAN information.
More precisely, in the first setup, all DHCP requests are formated with VLAN information appended :
DHCPREQUEST for 10.0.50.80 from f0:cb:30:cc:84:3c via igb0.50
In the second setup, all DHCP requests are formated without any VLAN information :
DHCPDISCOVER from f0:cb:30:cc:84:3c via igb0
then
DHCPOFFER on 10.0.0.114 to f0:cb:30:cc:84:3c via igb0
No matter what setting i alter, there is no VLAN information added to the DHCP request in the second setup.
In a third setp, i tried a MAC-based identification applied to any of the SSIDs from the first setup.
The same Freeradius server is unable to authenticate the users who were previously authenticated.
The Freeradius message is :
Login incorrect (Failed retrieving values required to evaluate condition): [f0:cb:30:cc:84:3c] (from client OmadaEAP port 1 cli F0-Cb-30-CC-84-3C)
In this latter case, it doesnt matter how i format the MAC adress in either the Freeradius server or in the Omada EAP setting, there is never a match.
I understand that neither setup being purely Omada or Tp-link based can be a reason enough to turn this post down. However, after some research on different sites and on Reddit, i found several users reporting similar issues, begining circa when Radius authentication has been added.
tl,dr: i can not obtain dynamic vlan assignment either with wired or wireless client autheticated by a Radius server while having confirmed that said Radius server does communicate with the switch and EAP and authenticate users.
Is there an obvious reason for this behaviour or any of you got a hint why it doesnt work as intended. I can provide more information if needed.
Note : the MAC address used in the examples has been edited for this post.
Note2 : I tried unadopting Omada switch and EAP and configuring them through their GUI. The result was inconclusive.