@Hank21 

Hi Hank,

sure, this is my Built-In RADIUS Server in the OC300 controller.

Thank you,

Fra

  @nicolati 

the problem with the built-in radius server is that if you create a radius account on a site, that user will be able to log in to all sites with a radius server configured. the same applies to usernames, if you create a user, xxx, you cannot create another user with the same name.
so all sites share same radius server, you can also share this radius server with other radius compatible devices, e.g. unifi

this happens if you try to create a user in another site with the same username.

if you have several customers on such a solution, it is important to be aware that a user customer-a can log in to customer-b without problems.
so the solution is not built for cross-site security.

  @MR.S 

Hi MR.S,

I understand your point, but in that case I would have expected to have the UI to insert users (MAC Addresses) at Server level, not site level.

Also, in my scenario, it would be ok to have a centralized user list to be used across all sites.

But this also seems not possible.

Thank you,

Fra

  @nicolati 

Yes, the whole radius server is a bit wrongly designed, it works well if you know about the limitations, I don't know if TP-Link knows about this even once, I agree with you, users could well be on the radius server, now it's a bit scary since most people think that a Radius user can only log in to the site where the user was created, but that is not the case.

as it is now you can create users in any site you want. then log on to all sites that have radius configuration. e.g. WPA entraprice SSID.

  @MR.S 

I can add one thing! :)

Since we can assign VLANs, then what happens when a device is authorized on a site on a certain VLAN (but we know it can access another site) and on the other site that VLAN is something else or even it doesn't exist? :)

@Hank, pls take into consideration a project for R&D when RADIUS server gets unified entirely under Controller side or splitted entirely under the Site side.

Thank you,

Fra

  @nicolati 

if you assign a vlan and the vlan is not on the other site, radius will approve login but you will not get an ip or be able to connect to this network.

  @nicolati 

I just tried with my iPhone and it works differently...

If I use the original non-private MAC Address, which is registered already on the other site, RADIUS doesn't let me log in.

Instead, if I use the private MAC Address, since it's new, I can register it to the RADIUS profile of this site and it works.

So, my conclusion is that:

- The server is one on the controller

- But the profile is one per site

- But they share the info, so it isn't possible to assign the same MAC Adress to 2 Built-In RADIUS profiles

If this is confirmed, I would ask why? :)

Thank you,

Fra

  @nicolati 

I haven't tested with mac autetication but I'm pretty sure there's no difference. Have you turned off random mac address on your phone then? if it is on, you will get a new mac every time you log on to an SSID