Knowledge Base Enable 802.1X using built-in Omada Features [no 3rd party RADIUS server], Dynamic VLAN ID
Part 1 - Introduction
Do you need 802.1X at your home LAN?
It depends, for simple LAN, probably not. But if you need to secure your wired network infrastructure, i.e. someone can unplug your outdoor camera and plug their own device, or maybe you have an exposed managed network switch in your home lab, and you dont want your Lan Party buddies to just connect there without your knowledge, then this is a pretty solid option.
Special Bonus: Based on credential, VLAN will be dynamic (i.e. same port can be VLAN 10, 20, etc. without manual configuration, VLAN ID will be based on user)
If you would like to know more about 802.1X, from IEEE -
"Port-based network access control allows a network administrator to restrict the use of IEEE 802(R) LAN service access points (ports) to secure communication between authenticated and authorized devices. This standard specifies a common architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and that secure communication between the ports, including the media access method independent protocols that are used to discover and establish the security associations used by IEEE 802.1AE(TM) MAC Security."
Part 2 - Let's jump into it
Note: I have a video and demo on my channel but it is not required to follow these steps
To set up a simple 802.1X in Omada, you will need
- Supplicant - I have tested this using Windows 10 PC
- Authenticator - This will be the Omada Switch
- Authentication Server - Built-In RADIUS of the Omada Controller
RADIUS Server Configuration - refer to Screenshot for step by step navigation
- Global
- Settings
- Server Settings
- Built-In RADIUS Slider - slide it to turn it ON
- Server Address Type - I select Auto, choose your own if you like.
- Secret and Authentication Port - enter your password and default authentication port
- Enable Tunnel Reply - I checked Enable
- Apply
Switch Configuration refer to Screenshot for step by step navigation: - Organization - Select your site
- Settings
- Authentication
- 802.1X
- 802.1X Slider - slide it to turn it ON
- Built-in Radius Profile - select from drop-down
- Authentication Protocol > EAP
- Authentication Type > Port Based
- VLAN Assignment - I checked Enable. Note/out of scope: below this option is a feature called MAB; useful for device that don't support interactive login (i.e. wired printer)
- Authentication Ports - select Switch Ports to enable
- Manage RADIUS Profile - click to open a new page
- Built-In Radius Profile - click the Edit icon
User Configuration - Add New RADIUS User
- Authentication Type > User Authentication
- Name and Password - enter user crendential
- VLAN ID - enter what VLAN you want the user to be on
- Apply
Part 3 - Testing
Client Configuration
Note: steps will vary based on client type, OS, and device configuration. I am only covering EAP under Windows 10, refer to your respective OS/device manual for configuration.
- Launch "services.msc"
- Look for "Wired AutoConfig" service and "Start".
- Open Network Adapter Properties and open the configuration tab
- Open Settings then uncheck "Verify the server's". Click OK
- Open Additional Settings then under Specify authentication mode, select "User authentication" on the drop down
- Connect your device to the 802.1X configured port (Step 18) and enter the credential created (Step 23)
- Done