TP-Link Omada setup guide

Controller-managed switches and EAPs

Applies to: Omada is TP-Link's controller-managed line covering switches (TL-SG / SG3xxx) and access points (EAP series). RADIUS is configured once in the Omada Controller and applied to SSIDs and switch port profiles. Field paths below are Omada Controller 5.x.

Wired — RADIUS server, 802.1X and MAB

Settings -> Authentication -> 802.1X (per-site). Omada Controller distributes the RADIUS config to all managed switches.

Settings -> Authentication -> 802.1X:
  Status: enabled
  Authentication method: EAP
  RADIUS server group:
    Server 1  IP: 10.10.10.10  Auth: 1812  Acct: 1813  Secret: ARBITER_PSK
    Server 2  IP: 10.10.10.11  Auth: 1812  Acct: 1813  Secret: ARBITER_PSK
  Authentication retry:   1
  Authentication timeout: 2
  Quiet period:           60

Switches -> Ports -> Edit profile -> 802.1X: enabled, MAB: enabled

Wireless — 802.1X SSID

Settings -> Wireless Networks -> Create SSID -> WPA2-Enterprise.

SSID name:        Corp
Security:         WPA2-Enterprise
RADIUS profile:   Arbiter (reuses the same server group as wired)
VLAN assignment:  RADIUS
Accounting:       enabled

Guest SSID — open with captive portal redirect

Settings -> Wireless Networks -> Guest network. Omada has a built-in portal; disable it and use external (Arbiter).

SSID name:        Guest
Security:         None (open)
Guest network:    enabled
Portal:           External Portal Server
External URL:     https://acme-7f3-guest.arbiter.ie/
RADIUS MAC auth:  enabled (Arbiter profile)
Walled garden:    acme-7f3-guest.arbiter.ie

DHCP relay to Edge

Omada gateways (ER-series). Settings -> Wired Networks -> Network -> DHCP Relay.

DHCP Mode:    Relay
DHCP servers: 10.0.0.5
              10.10.10.10
              10.10.10.11

AAA dead-server detection

Retry / timeout configured on the RADIUS profile (above). Current Omada firmware does not expose a Portnox-style dead-criteria / deadtime pair; failover is reactive on the next request. Set Retry and Timeout to give roughly a 30-second window before the supplicant falls over to Edge #2.

RADIUS profile -> Advanced (Controller 5.x):
  Retry:    4         # 4 attempts before failover
  Timeout:  8s        # ~30s overall (8s x 4 attempts)
  Dead time: not exposed in current Omada firmware

CoA listener

Omada supports CoA on UDP/3799 from Controller 5.x onwards. Enable in the RADIUS profile.

Settings -> Authentication -> RADIUS profile -> CoA: enabled