PPSK without Radius not sending DHCP to clients
PPSK without Radius not sending DHCP to clients
I have setup a new WLAN (OSA_Residents) for my residents (apartments) - this was created as PPSK without radius. I then created a PPSK profile and added 2 'users' to the profile both on their own VLANS. The WLAN is not on a custom VLAN and is set as WPA2-PSK / AES. I can only enable the 2.4 and 5GHz band as their is a bug and if you enabled the 6Ghz band PPSK disappears - but that isn't the problem at hand but I would love for that to get fixed.
Once this basic setup was complete I went and created 2 VLANS to test - Apartment1 VLAN ID 101 and Apartment2 VLAN ID 102. I then assigned the PPSK profiles to each of those VLANS to match. After that I made sure that both ports on the omada switch are set to "all" so they should accept traffic for either vlan. I dot NOT have a management VLAN if that matters.
Once this is all done I then took my new samsung s23 and joined the SSID: OSA_Residents. I chose the password from one of the profiles and it tries to connect but fails. What I see in the omada cloud is that the device connected but could not get an IP. My VPN/Router is the ER605 v2.0 and the POE switch is the TL-SG2210MP v3.0. I do not have L2 relay enabled as the VLANs themselves have a proper subnet and scope.
What could I be missing here? From all my reading and watching of videos I'm doing it right. Is it the 6Ghz network bug? My phone is Wifi6 capable and all the EAPs I have are Wifi6 capable as well...
Thanks!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
1st I thought wifi 6ghz was wifi 6E , not wifi 6. are yours 6E ?
I maybe wrong on that.
I use OPNsense as my firewall/router so probably not going to be much help on the VLAN situation.
But I use Omada, WIFI and switches for everything else with OC200.
Have you tried putting the VLAN tag to a single switch port and plug laptop into it, to check you get onto the correct network (and to the internet)
If that doesn't work right, then forget about the wifi, need to sort that first.
Does the VLAN 'all' profile go to the APs ?
Chris
- Copy Link
- Report Inappropriate Content
@farmer1 6 and 6e are different and i have both types of devices on my network - you are also correct that 6Ghz is reserved for the 6e standard and I do have devices that support 6e - my samsung s23 supports 6e but my older s21 only supported wifi6 - I'm ignoring this bug for now.
Regarding the AP's having the vlan, they do and you can tell as the phone does try to connect and you see it register in the Omada clients but without an IP which is why the phone says "failed". If you enable dhpc L2 relay you can get an IP as it passes it across the VLAN from the main network, but that is not what I want. The DHCP simply does not work inside the VLANs themselves for some reason. Maybe the ER605 doesn't support the multiple vlan DHCP setup? But then why does it ask for subnets in each vlan with a scope in the VLAN setup? That doesn't make sense.
I will try the laptop idea next time I'm on site - but I only go out there maybe 1 time per week so that is very inconvenient :) Thanks!
Still stuck!
- Copy Link
- Report Inappropriate Content
Ah, well this is the TP-Link router doing this DHCP job,
Which for me in my network is OPNsense. So not used TP-Link's routers.
On OPNsense you can chose to use a DHCP server for each vlan subnet (or not), which is then directly on the same subnet with clients.
For me the TP-Link routers don't meet my needs currently, although they are a good price, so have been tempted for simpler setup arrangements.
Good luck.
- Copy Link
- Report Inappropriate Content
I was going to mock this up for you and then I realized I have nothing but EAP235-walls here at this site, and they are running code from mid-2021 :( so no PPSK support.
One thing I have curious about is whether you defined your PPSK VLANs as 'Interface' or 'VLAN'. The latter do not have dedicated DHCP servers in the router and the former do.
Hey @Hank21 once you drop the new ER605v1 updated firmware, can we do something with the EAP235 next ;). Please.
- Copy Link
- Report Inappropriate Content
but my 'main' LAN is interface, the 1 that is there when you start off, this cannot be changed.
But all my other VLANs are as above, with OPNsense doing the the cross vlan firewalling etc and DHCP, DNS etc etc
Chris
- Copy Link
- Report Inappropriate Content
Okay, so the plot thickens...
So how does your router know to listen on VLAN23 and serve up IPs...and from what subnet are you doing this? Have you configured subnets on the OPNsense for each PPSK user? Also, I am pretty sure you are going to need to use the L2 relay function, see this article https://www.tp-link.com/us/support/faq/2222/
- Copy Link
- Report Inappropriate Content
On OPNsense:
create a VLAN interface with tag (23) and choose the parent interface for this vlan(the physical port of firewall)
Assign subnet to this and OPNsense's IP 192.168.23.1 for this VLAN23
Set DHCP, DNS etc which is basically 192.168.23.1 (normally the OPNsense)
Set firewall rules to allow access to other interfaces and internet WAN etc as required, or not required?
Next on Omada, create the VLAN 23 (not interface in my case)
Fill in the obvious stuff...
make sure ALL profile is assigned to the switch port of the WIFI AP.
Create needed SSID for the wifi if not already do so.
Create PPSK users and passes and assign VLAN 23, make sure it's all tied to the correct SSID...
Done..
I think, was a few months back now... but think that it.
- Copy Link
- Report Inappropriate Content
@farmer1 and @d0ugmac1 - I really appreciate your input from both of you but we've got way off topic at this point. I'm not going to introduce a pfsense appliance, etc. - I just want to know how to make this work natively they way it is documented from TP-Link. Again, thank you very much for the ideas but I'd like to stick to the problem as described. Thank you!
- Copy Link
- Report Inappropriate Content
Hello @OrangeStreet
What's the detailed firmware version (the Build Number) of your ER605 V2 router?
What EAP devices do you have and what's the hardware and firmware version?
If you configure the SSID with non-PPSK secured (like WPA-Personal or None security), would your clients obtain IP address from the DHCP properly? If yes, could you please upload a screenshot of your PPSK setup for checking?
- Copy Link
- Report Inappropriate Content
@Fae I have identified the bug. So here is what happens - I setup a profile for PPSK without Radius on a new WLAN called "OSA_Residents" that I apply the profile to. The WLAN can ONLY support 2.4 and 5GHz networks, when you select 6Ghz the PPSK option disappears. I thought this was maybe just a gui thing but it is not. What I found was that if you connect my new samsung s23 that supports 6e (which is the 6Ghz band) that the phone will connect to the SSID but it will NOT get an IP because the PPSK profile for 6Ghz can't be enabled and that is where the DHCP is. It seems since the 6Ghz radios are on for other networks that my phone seeks the 6e.
However, if I take the previous model phone which is Wifi6 (on the 5Ghz band) it DOES connect and gets an IP. So this problem exists due exclusively to the fact that PPSK (with or without radius) is not working on the 6Ghz network. Fix that and you are good. This is a big bug as millions of samsung s23 phones hit the market ALL with wifi6e enabled and anyone using my setup will have failures all over the place.
My firmware is up to date on all my hardware which includes:
OC300 v1 5.7.6 1.14.7 Build 20221206 Rel.60706
ER605 v2.0 2.1.2
TL-SG2210MP v3.0 3.0.5
EAP650(US) v1.0 1.0.6
EAP610-Outdoor(US) v1.0 1.06
Here is PPSK enabled with 2.4Ghz and 5Ghz:
Here is what is available in the dropdown when you enable the 6 Ghz box (PPSK disappears):
FIX THE BUG - MAKE PPSK WORK ON THE 6Ghz network.
Thanks!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1881
Replies: 13
Voters 0
No one has voted for it yet.