Omada Controller v5

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Omada controler equipment for integration with Octopus Platform

 

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 WLAN Configuration

First step is to create a new WLAN Group. To do this, access to Settings > Wireless Networks and add a new WLAN Group by clicking on the Create New Group icon:

Set the desired name and click on Apply:

Once added, next step would be to create an SSID associated with this new WLAN Group. To do this, click on the Create New Network button and fill in the following parameters:

  • SSID Name: Set the SSID that the APs will radiate

  • Band: Enable 2.4GHz and 5GHz

  • Guest Network: Disabled

  • Security Mode: None

Finally, in the Advanced Settings section, activate SSID Broadcast option to make the SSID visible:

2.2 Radius Servers

Now we will add the radius to be used for validation in the captive portal, to do this we access Settings > Authentication > RADIUS Profile and click on Create New RAIUS Profile and fill in the following parameters:

  • Authentication Server IP: <IP_Radius_1>

  • Authentication Port: 1812

  • Authentication Password: <Secret>

  • Radius Accounting: Enable

  • Interim Update: Enable

  • Interim Update Interval: 600

  • Accounting Server IP: <IP_Radius_1>

  • Accounting Server Port:1813

  • Accounting Password: <Secret>

2.3 Captive Portal

Next, add the new Splash Portal for user validation. To do this, go to Settings > Authentication > Portal and click on the Create New Portal icon. Once the drop-down menu opens, fill in the following parameters:

  • Portal Name: Identifying name of the portal.

  • SSID: Select the SSID previously created.

  • Authentication Type: External RADIUS Server

  • Portal Customization: External Web Portal

  • External Web Portal URL: https://<captive_portal_domain>/login/hotspot/omada

2.4 Walled Garden

Next step would be to add the domains that the users will be able to visit without being authenticated in the captive portal. To do this, access to the Settings > Authentication > Portal > Access control

 

To add free access domains, click on the Add icon and add the necessary domains with the following configuration:

  • Mode: URL Type

  • URL: add the URL of the domain to be configured

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

2.5 APs Configuration

To finalize the configuration of the Access Points, the APs must be associated to the WLAN Group that contains the created SSID. To do this, access to Devices and select the APs that you want to radiate the SSID.

Then, click on the Configuration option and select WLAN tab. Finally, select the WLAN Group created at the beginning

2.6 Authorized MAC Addresses

In order to allow the users to authenticate themselves in the captive portal correctly, it is necessary to identify the NAS that will send the authentication requests to the Radius Server. In this case, it is required to add the MAC address of every Access Point that will radiate the configured SSID.

These MAC addresses can be obtained from the A¡Device section in the Device name column:

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link locations

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1 Captive portal + MAC Authentication Configuration

If you wish to configure the functionality that would allow MACs registered on the WIFI platform to be validated a second time directly without the captive portal appearing to users, additional configuration is required.

Go to Settings > Authentication > MAC-Based Authentication and activate the MAC-Based Authentication

  • SSID: Select the WLAN created in point 2.1 of this guide.

  • RADIUS Profile: Associate the radius servers created in point 2.2 of this guide.

  • MAC Address Format: Select the MAC address format.

  • MAC-Based Authentication Fallback: Disable

  • Empty Password: Enable

3.2 MAC Authentication Configuration

To create an SSID dedicated to MAC Authentication validation only, go to Wireless Settings > Wireless Networks and add a new WLAN by clicking on + Create New Wireless Network:

  • SSID Name: configure SSID to be radiated by the APs e.g. Mac_Auth_Guest

  • Band: Enable 2.4GHz and 5GHz

  • Guest Network: Disable

  • Security Mode: None

Finally, in Advanced Settings we will activate the SSID Broadcast option to make the SSID visible:

Then go to Settings > Authentication > MAC-Based Authentication and activate the MAC-Based Authentication function.

  • SSID: Select the WLAN created.

  • RADIUS Profile: Associate the radius servers created in point 2.2 of this guide.

  • MAC Address Format: Select the MAC address format.

  • MAC-Based Authentication Fallback: Enable

3.3 Configuration of “Access Profiles” funtionality in the Octopus Platform

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Omada. Although the most common and proprietary Omada radius dictionaries are available, the following is a list of some of the most interesting ones:

Attribute

Description

Formato

Attribute

Description

Formato

Idle-Timeout

Maximum idle time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Acct-Interim-Interval

Defines the time interval at which the NAS sends the accounting packet update with all the user's session information.

Seconds

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above:

 

For more information on how to create an Access Profile in Octopus Platform go to Access profiles