TPLink - AC Controller

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of AC500 de TP-Link equipment for integration with Octopus Platform

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

 2- Guest module configuration

2.1 Radius Servers

Next, it is necessary to include the Radius Server to which the authentication requests of the users will be sent. To do this, go to the Authentication> Authentication Server section and first access the Radius Server tab. Once inside this section click on "Add" to add a new Radius Server and configure the following parameters:

  • Server Name: RADIUS

  • Server Address: <IP_Radius_1>

  • Authentication Port: 1812

  • Billing Port: 1813

  • Share Key: <Secret>

  • Authentication Method: PAP

Archivo adjunto desconocido

 

Once the Radius Server has been added, you must associate it with a group.To do so, go to the Authentication> Authentication Server section and in this case access the Authentication Server Group tab. After clicking Add to add a new group of servers configure the following parameters:

  • Group Name: RADIUS_GROUP

  • Authentication Type: Radius

  • Main Server: RADIUS

Archivo adjunto desconocido

2.2 WLAN Settings

The first step to carry out the configuration in the TP-Link equipment is to create a new SSID or modify an existing one. For this, go to the Wireless> Wireless Service section and click on "Add" to add a new WLAN with the following parameters:

  • Status: Enable

  • SSID: Indicate the SSID that the APs will broadcast.

  • Security: No Security

Archivo adjunto desconocido

2.3 Captive Portal

The next step is the configuration of the external Captive Portal. You have to go to: Authentication> Portal Authentication section and access the Remote Portal tab. Once inside this section click on Add, to add a new external captive portal and configure the following parameters:

  • Status: On

  • Splash Page: PORTAL_WIFI

  • SSID: Select the SSID created in the first section in which you will apply the captive portal.

  • Remote Portal Address: http://<domain_capitve_portal>/login/hotspot/tplink/AC_IP

  • Authentication Server Type: Remote Authentication Server

  • Authentication Server Group: Select the group of servers created in the previous section.

Archivo adjunto desconocido

Change the AC_IP parameter to the IP address of the TP-LINK controller. Example: https://<domain_capitve_portal>/login/hotspot/tplink/192.168.1.50

2.4 Walled Garden

Finally it is necessary to indicate the domains to which the user will have free access before authenticating in the network. To do this go to the Authentication> Authentication Config section and access the Free Authentication Policy tab.

Once inside this section click on Add to add each of the necessary domains with the following configuration:

  • Strategy Name: add a different name for each rule

  • Match Mode: URL Type

  • URL Address: add the URL of the domain to be configured

Archivo adjunto desconocido

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

Once these changes have been made, go to the Authentication Parameters tab, within the same Authentication Config section, and configure the following parameters:

  • Authentication Aging: enable

  • Aging Time: 15

  • Portal Authentication Port: 8080

Archivo adjunto desconocido

2.5 AP Group

To end the configuration of Access Points, you must associate the created SSID to the AP Group that contains the APs where the created WLAN will be broadcasted.. To do this go to the Wireless> Wireless Service section and after selecting the created SSID click on Radio Binding.

Archivo adjunto desconocido

After that select the AP Group within the "Select the Group" drop-down menu and select the APs in which you want to broadcast the SSID (both in 2.4GHz and 5GHz) and finally click on the Bound option so that the APs begin to broadcast the SSID.

 

Archivo adjunto desconocido

2.6 Authorized MAC Addresses

To get these MAC addresses easily go to the Status> AP Status section and after selecting the AP Group of the installation that contains the Access Points you can obtain all the MAC addresses of the APs in the MAC Address column. In order to allow the users to authenticate themselves in the captive portal correctly, it is necessary to identify the NAS that will send the authentication requests to the Radius Server. In TP-LINK, it is required to add the MAC address of every access point that will broadcast the configured SSID 

To obtain these MAC addresses easily go to Status > AP Status and after selecting the AP Group of the installation containing the Access Points, you can obtain all the MAC addresses of the APs in the MAC Address column.

Archivo adjunto desconocido

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link locations

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1 Configuration of “Access Profiles” funtionality in the Octopus Platform

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Omada. Although the most common and proprietary Omada radius dictionaries are available, the following is a list of some of the most interesting ones:

Atributo

Descripción

Format

Atributo

Descripción

Format

Idle-Timeout

Maximum idle time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Acct-Interim-Interval

Defines the time interval at which the NAS sends the accounting packet update with all the user's session information.

Seconds

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above: