Network device onboarding

TP-Link Omada

Controller-managed switches and EAPs

Applies to: Omada is TP-Link's controller-managed line covering switches (TL-SG / SG3xxx) and access points (EAP series). RADIUS is configured once in the Omada Controller and applied to SSIDs and switch port profiles. Field paths below are Omada Controller 5.x.

Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.

For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.

Wired: RADIUS server, 802.1X and MAB

Settings -> Authentication -> 802.1X (per-site). Omada Controller distributes the RADIUS config to all managed switches.

Settings -> Authentication -> 802.1X:
  Status: enabled
  Authentication method: EAP
  RADIUS server group:
    Server 1  IP: 10.10.10.10  Auth: 1812  Acct: 1813  Secret: ARBITER_PSK
    Server 2  IP: 10.10.10.11  Auth: 1812  Acct: 1813  Secret: ARBITER_PSK
  Authentication retry:   1
  Authentication timeout: 2
  Quiet period:           60

Switches -> Ports -> Edit profile -> 802.1X: enabled, MAB: enabled

Wireless: 802.1X SSID

Settings -> Wireless Networks -> Create SSID -> WPA2-Enterprise.

SSID name:        Corp
Security:         WPA2-Enterprise
RADIUS profile:   Arbiter (reuses the same server group as wired)
VLAN assignment:  RADIUS
Accounting:       enabled

Guest SSID: open with captive portal redirect

Settings -> Wireless Networks -> Guest network. Omada has a built-in portal; disable it and use external (Arbiter).

SSID name:        Guest
Security:         None (open)
Guest network:    enabled
Portal:           External Portal Server
External URL:     https://acme-7f3-guest.arbiter.ie/
RADIUS MAC auth:  enabled (Arbiter profile)
Walled garden:    acme-7f3-guest.arbiter.ie

DHCP relay to Edge

Omada gateways (ER-series). Settings -> Wired Networks -> Network -> DHCP Relay.

DHCP Mode:    Relay
DHCP servers: 10.0.0.5
              10.10.10.10
              10.10.10.11

AAA dead-server detection

Retry / timeout configured on the RADIUS profile (above). Current Omada firmware does not expose a formal dead-criteria / deadtime pair; failover is reactive on the next request. The RADIUS target is a local Edge appliance on your LAN, so set Retry and Timeout short and the supplicant falls over to Edge #2 quickly.

RADIUS profile -> Advanced (Controller 5.x):
  Retry:    2         # attempts before failover
  Timeout:  2s        # short, LAN-local server
  Dead time: not exposed in current Omada firmware

CoA listener

Omada supports CoA on UDP/3799 from Controller 5.x onwards. Enable in the RADIUS profile.

Settings -> Authentication -> RADIUS profile -> CoA: enabled

Notes

  • Omada is the youngest of the ten vendors covered here in terms of enterprise-grade NAC features; expect the smallest set of tunables. Verify CoA behaviour against the current controller firmware before relying on RADIUS-driven re-VLAN.

Verify the integration

Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.

Need help?

Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.

All network device guidesAll guides