Omada Controller v3

Owned by Adrián Macarro (Unlicensed)
Last updated: Jul 24, 2023 by Jorge Márquez Torres
6 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Omada controler equipment for integration with Octopus Platform

 

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 WLAN Configuration

First step is to create a new WLAN Group. To do this, access to Wireless Settings > Basic Wireless Setting and add a new WLAN Group by clicking on the Add icon:

Set the desired name and click on Apply:

Once added, next step would be to create an SSID associated with this new WLAN Group. To do this, click on the Add button and fill in the following parameters in the Basic Info section:

  • SSID Name: Set the SSID that the APs will radiate

  • Band: Enable 2.4GHz and 5GHz

  • Guest Network: Disabled

  • Security Mode: None

Finally, in the Advanced Settings section, activate SSID Broadcast option to make the SSID visible:

2.2 Captive Portal and Radius Servers

Next, add the new Splash Portal and Radius servers for user validation. To do this, access to Wireless Control > Portal section and click on Add a New Portal. Once the drop-down menu is open, fill in the following parameters:

  • Portal Name: Set identifying name of the portal.

  • SSID: Select the previously created SSID.

  • Authentication Type: External RADIUS Server

  • RADIUS Server IP: <IP_Radius_1>

  • RADIUS Port: 1812

  • RADIUS Password: <Secret>

  • Authentication Mode: PAP

  • Radius Accounting

    Enable

  • Accounting Server IP: <IP_Radius_1>

  • Accounting Server Port:1813

  • Accounting Server Password: <Secret>

  • Interim Update: 600

  • Portal Customization: External Web Portal

  • External Web Portal URL: http://<captive_portal_domain>/login/hotspot/omada

Do not set Redirect URL, cause it will be configured in the WiFi platform:

2.3 Walled Garden

Next step would be to add the domains that the users will be able to visit without being authenticated in the captive portal. To do this, access to the Wireless Control > Free Authentication Policy section

To add free access domains, click on the Add icon and add the necessary domains with the following configuration:

  • Policy Name: add a different name for each rule

  • Match Mode: URL Type

  • URL: add the URL of the domain to be configured

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

2.4 APs Configuration

To finalize the configuration of the Access Points, the APs must be associated to the WLAN Group that contains the created SSID. To do this, access to Access Points section and select the APs that you want to radiate the SSID:

Then, click on the Configuration option and select WLAN tab. Finally, select the WLAN Group created at the beginning

2.5 Authorized MAC Addresses

In order to allow the users to authenticate themselves in the captive portal correctly, it is necessary to identify the NAS that will send the authentication requests to the Radius Server. In this case, it is required to add the MAC address of every Access Point that will radiate the configured SSID.

These MAC addresses can be obtained from the Access Points section in the MAC Address column:

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link locations

2.6 Additional settings

Success Login Page

By default in the Omada integration, if the authentication in the captive portal is successful, a page with "login success" message appears for a short period of time. This page appears by default with the Tplink logo and background. In order to edit it access to Seetings > Wireless Control > Portal and edit the portal already created.

Momentarily change the Portal Customization parameter to Local Web Portal and edit the following fields:

  • Background: Select Solid Color or Picture depending on how you want to edit it. In case of Solid Color select a color and in Picture an image. It is recommended to select Solid Color white so that it does not contrast too much with the background of browsers.

  • Logo Picture: Select a generic logo that will appear on all sites where that portal is configured.

Once the configuration has been changed, save the portal edition.

Finally, re-edit the portal and select again the parameter Portal Customization to External Web Portal. Verify that the External Web Portal URL continues with the same configuration.

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1 Captive portal + MAC Authentication Configuration

If you wish to configure the functionality that would allow MACs registered on the WIFI platform to be validated a second time directly without the captive portal appearing to users, additional configuration is required.

Go to Settings > Authentication > MAC-Based Authentication and activate the MAC-Based Authentication

  • SSID: Select the WLAN created in point 2.1 of this guide.

  • RADIUS Profile: Associate the radius servers created in point 2.2 of this guide.

  • MAC Address Format: Select the MAC address format.

  • MAC-Based Authentication Fallback: Disable

  • Empty Password: Enable

3.2 MAC Authentication Configuration

To create an SSID dedicated to MAC Authentication validation only, go to Wireless Settings > Wireless Networks and add a new WLAN by clicking on + Create New Wireless Network:

  • SSID Name: configure SSID to be radiated by the APs e.g. Mac_Auth_Guest

  • Band: Enable 2.4GHz and 5GHz

  • Guest Network: Disable

  • Security Mode: None

Finally, in Advanced Settings we will activate the SSID Broadcast option to make the SSID visible:

Then go to Settings > Authentication > MAC-Based Authentication and activate the MAC-Based Authentication function.

  • SSID: Select the WLAN created.

  • RADIUS Profile: Associate the radius servers created in point 2.2 of this guide.

  • MAC Address Format: Select the MAC address format.

  • MAC-Based Authentication Fallback: Enable

3.3 Configuration of “Access Profiles” funtionality in the Octopus Platform

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Omada. Although the most common and proprietary Omada radius dictionaries are available, the following is a list of some of the most interesting ones:

Attribute

Description

Formato

Attribute

Description

Formato

Idle-Timeout

Maximum idle time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Acct-Interim-Interval

Defines the time interval at which the NAS sends the accounting packet update with all the user's session information.

Seconds

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above:

 

For more information on how to create an Access Profile in Octopus Platform go to Access profiles