Enable 802.1X using built-in Omada Features [no 3rd party RADIUS server], Dynamic VLAN ID

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Enable 802.1X using built-in Omada Features [no 3rd party RADIUS server], Dynamic VLAN ID

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Enable 802.1X using built-in Omada Features [no 3rd party RADIUS server], Dynamic VLAN ID
Enable 802.1X using built-in Omada Features [no 3rd party RADIUS server], Dynamic VLAN ID
2023-12-08 19:38:14 - last edited 2023-12-12 07:41:52
Model: OC300   SG2210MP   TL-SG3428  
Hardware Version: V1
Firmware Version:

Part 1 - Introduction

Do you need 802.1X at your home LAN?

It depends, for simple LAN, probably not. But if you need to secure your wired network infrastructure, i.e. someone can unplug your outdoor camera and plug their own device, or maybe you have an exposed managed network switch in your home lab, and you dont want your Lan Party buddies to just connect there without your knowledge, then this is a pretty solid option.

 

Special Bonus: Based on credential, VLAN will be dynamic (i.e. same port can be VLAN 10, 20, etc. without manual configuration, VLAN ID will be based on user)

 

If you would like to know more about 802.1X, from IEEE

"Port-based network access control allows a network administrator to restrict the use of IEEE 802(R) LAN service access points (ports) to secure communication between authenticated and authorized devices. This standard specifies a common architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and that secure communication between the ports, including the media access method independent protocols that are used to discover and establish the security associations used by IEEE 802.1AE(TM) MAC Security."

 

Part 2 - Let's jump into it

Note: I have a video and demo on my channel but it is not required to follow these steps

To set up a simple 802.1X in Omada, you will need

  1. Supplicant - I have tested this using Windows 10 PC
  2. Authenticator - This will be the Omada Switch
  3. Authentication Server - Built-In RADIUS of the Omada Controller

 

RADIUS Server Configuration - refer to Screenshot for step by step navigation

Steps 1-8

 

  1. Global
  2. Settings
  3. Server Settings
  4. Built-In RADIUS Slider - slide it to turn it ON
  5. Server Address Type - I select Auto, choose your own if you like.
  6. Secret and Authentication Port - enter your password and default authentication port
  7. Enable Tunnel Reply - I checked Enable
  8. Apply

    Switch Configuration refer to Screenshot for step by step navigation:

    Steps 9-19

  9. Organization - Select your site
  10.  Settings
  11. Authentication
  12. 802.1X
  13. 802.1X Slider - slide it to turn it ON
  14. Built-in Radius Profile - select from drop-down
  15. Authentication Protocol > EAP
  16. Authentication Type > Port Based
  17. VLAN Assignment - I checked Enable. Note/out of scope: below this option is a feature called MAB; useful for device that don't support interactive login (i.e. wired printer)
  18. Authentication Ports - select Switch Ports to enable
  19. Manage RADIUS Profile - click to open a new page
  20. Built-In Radius Profile - click the Edit icon

    c38b711492884ed295e8ea7703a120ae


    User Configuration

    Steps 21-25

     

  21. Add New RADIUS User
  22. Authentication Type > User Authentication
  23. Name and Password - enter user crendential
  24. VLAN ID - enter what VLAN you want the user to be on
  25. Apply

 

 

Part 3 - Testing

Client Configuration
Note: steps will vary based on client type, OS, and device configuration. I am only covering EAP under Windows 10, refer to your respective OS/device manual for configuration.

  1. Launch "services.msc"
  2. Look for "Wired AutoConfig" service and "Start". 

    57275801b5f743e2a9612dede479624a

     

  3. Open Network Adapter Properties and open the configuration tab
  4. Open Settings then uncheck "Verify the server's". Click OK

    70d9292afa72471b978117ad41be1c4e

     

  5. Open Additional Settings then under Specify authentication mode, select "User authentication" on the drop down
  6. Connect your device to the 802.1X configured port (Step 18) and enter the credential created (Step 23)

    587d8b843e114a758c70b5a63c3b6dbd

     

  7. Done

 

  5      
  5      
#1
Options