Hi  @Virgo thanks for replying.

I have seen screen shots like this, and I'm a bit confused about them.

The HTTP interface of my EAP653 looks very different from the screenshot from your link. In the settings from e.g. your link there seems to be a Radius Profile that you then associate with an SSID. In my AP, I must define the Radius settings directly when defining the SSID. Also, my AP has far fewer Radius settings than the one you posted:

I'm sorry if I'm stuck with some trivial issue, but I'm rather new to TP-Link APs (not to WiFi per se), so I might simply overlook something that is obvious to others.

Is the setting from your link from a standalone EAP653 or from Omada? Or is there something like an "advanced config mode" hidden in the UI?

Thanks,

  @Virgo 

Yes, I want to set up the AP in standalone mode, as per title. Setting up and maintaining an Omada instance to control a single device (the EAP653) sounds like a silly thing to do and is extra work I'd like to avoid.

The Standalone UI does not have an option to configure 802.11r, and the dynamic VLAN functionality seems to be unavailable too, as I feared in my initial post.

It seems to become clear that many advertised features are not available in Standalone mode. I'm rather disappointed in TP-Link at this point, and unfortunately it is too late for me to return the device. Unfortunately, OpenWRT does not support this hardware (yet). I guess I have to write that off as a learning exercise and look for a better alternative somewhere else.

Many thanks for your help though!

  @Tjure 

I can't help you specifically, I'm using EAP670s/controller though I do use FreeRADIUS, dynamic VLAN and don't use their router. One thing though that I don't see in your posts and I apologize if it's obvious and you've already tested this, but is wireless VLAN tagging working on your network period? Like, if you create an SSID and just manually assign it a network so that everything that connects to it should get tagged, do connected devices end up on the VLAN you want? If you have done that and it works then that should eliminate that variable, but if you haven't worth double checking that the problem isn't with dynamic VLAN assignment but with tagging period. I've never bothered with standalone since I'm managing dozens to hundreds of devices and it's easy to spin up a container or VM for the controller, but at least with the controller it's necessarily to explicitly setup virtual networks for each VLAN even if everything is then going to an OPNsense router where all the actual work is done. I can't just setup WPA-Enterprise and RADIUS and be done with it assigning whatever tags come from RADIUS, I have to do the minimum shell double config between omada and OPNsense on top. I did have a time where I'd added new VLANs and then was confused why it wasn't working, before remembering that I needed to add them in omada as well so that it'd configure WAPs/switches with them. Since the controller is just central config application, my assumption would be you need to do something like that in standalone too and also setup virtual networks on each WAP/switch.

Anyway like I said if you already did all that and tagged traffic is flowing with static assignment that clearly narrows down the problem. But something to try if you haven't. You could also try PPSK as an alternative/addition, I use both myself. WPA-EAP supports WiFi 6/7 an full PMF, good for full regular clients and speed/protection, but nearly zero appliances/IOT stuff supports 802.1x, so PPSK on a minimal 2.4-only IOT SSID is a nice way to still let me isolate those. Good luck.

Hi  @sonaric ,

thanks for your answer. True, I did not mention my VLAN setup: I have 3 VLANs, 10, 11 and 12 that are trunked to the EAP.

VLAN 10 is the "lan" network, and I have also defined it as the management VLAN for the EAP.

I have tested the VLANs by using the SSID-to-VLAN feature that the Standalone UI offers, and I have confirmed that a connected station ends up on the static configured VLAN.

So I'm pretty sure now that the dynamic VLAN feature is simply not available in the Standalone setup.

Facing the same issue with my Omada EAPs, one model is the EAP653 as well. In standalone mode, Dynamic VLAN does not work out of the box. Then, I went for the Omada SDN Controller and it worked instantly. By the way, to avoid a possible misunderstanding, the controller does not have to run all the time. And that controller ‘just’ sets items on the access point via command line. Perhaps, perhaps, it might be possible to replicate that. Of course, one workaround would be to use several SSIDs, one for each VLAN. Ideally, the Omada support team is able to create a Feature Request internally. @amlanhldr raised that request in May 2020 too …