TP-Link Omada
Controller-managed switches and EAPs
Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.
For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.
Wired: RADIUS server, 802.1X and MAB
Settings -> Authentication -> 802.1X (per-site). Omada Controller distributes the RADIUS config to all managed switches.
Settings -> Authentication -> 802.1X:
Status: enabled
Authentication method: EAP
RADIUS server group:
Server 1 IP: 10.10.10.10 Auth: 1812 Acct: 1813 Secret: ARBITER_PSK
Server 2 IP: 10.10.10.11 Auth: 1812 Acct: 1813 Secret: ARBITER_PSK
Authentication retry: 1
Authentication timeout: 2
Quiet period: 60
Switches -> Ports -> Edit profile -> 802.1X: enabled, MAB: enabledWireless: 802.1X SSID
Settings -> Wireless Networks -> Create SSID -> WPA2-Enterprise.
SSID name: Corp
Security: WPA2-Enterprise
RADIUS profile: Arbiter (reuses the same server group as wired)
VLAN assignment: RADIUS
Accounting: enabledGuest SSID: open with captive portal redirect
Settings -> Wireless Networks -> Guest network. Omada has a built-in portal; disable it and use external (Arbiter).
SSID name: Guest
Security: None (open)
Guest network: enabled
Portal: External Portal Server
External URL: https://acme-7f3-guest.arbiter.ie/
RADIUS MAC auth: enabled (Arbiter profile)
Walled garden: acme-7f3-guest.arbiter.ieDHCP relay to Edge
Omada gateways (ER-series). Settings -> Wired Networks -> Network -> DHCP Relay.
DHCP Mode: Relay
DHCP servers: 10.0.0.5
10.10.10.10
10.10.10.11AAA dead-server detection
Retry / timeout configured on the RADIUS profile (above). Current Omada firmware does not expose a formal dead-criteria / deadtime pair; failover is reactive on the next request. The RADIUS target is a local Edge appliance on your LAN, so set Retry and Timeout short and the supplicant falls over to Edge #2 quickly.
RADIUS profile -> Advanced (Controller 5.x):
Retry: 2 # attempts before failover
Timeout: 2s # short, LAN-local server
Dead time: not exposed in current Omada firmwareCoA listener
Omada supports CoA on UDP/3799 from Controller 5.x onwards. Enable in the RADIUS profile.
Settings -> Authentication -> RADIUS profile -> CoA: enabledNotes
- Omada is the youngest of the ten vendors covered here in terms of enterprise-grade NAC features; expect the smallest set of tunables. Verify CoA behaviour against the current controller firmware before relying on RADIUS-driven re-VLAN.
Verify the integration
Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.
Need help?
Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.