TP-Link Omada Controller
Configure TP-Link Omada SDN Controller with IronWifi's RADIUS authentication and external captive portal. This guide covers RADIUS profile creation, portal profile configuration, free authentication policy (walled garden) setup for guest access, wireless network creation, and WPA-Enterprise deployment for secure corporate networks.
Prerequisites
In TP-Link Omada Controller:
- Omada Controller v3, v4, or v5 (hardware or software)
- Admin access to Omada Controller interface
- TP-Link Omada access points adopted by the controller
- Network configured for guest WiFi
In IronWifi Console (complete these first):
- Create a Network in IronWifi Console
- Create a Captive Portal with vendor TP-Link
- Note your RADIUS settings (Primary IP, Backup IP, Secret) and Splash Page URL
Omada Controller v4/v5 Configuration
Step 1: Configure RADIUS Profile
- Navigate to Settings → Profiles → RADIUS Profile
- Click Create New RADIUS Profile
- Configure:
- Name: IronWifi
- Authentication Server IP:
{Primary IP} - Authentication Port:
1812 - Authentication Password:
{Secret} - Accounting Server IP:
{Primary IP} - Accounting Port:
1813
Step 2: Create Portal Profile
- Navigate to Settings → Profiles → Portal
- Click Create New Portal
- Configure:
- Name: IronWifi-Portal
- Authentication Type: External RADIUS Server
- RADIUS Profile: IronWifi
- External URL:
{Splash Page URL} - Landing Page: External URL
Step 3: Configure Free Authentication Policy
Configure destinations that guests can access before authentication. This is essential for the captive portal to function correctly.
Add allowed destinations:
- IP:
107.178.250.42
If you're using social login or payment providers, add these domains to your Free Authentication Policy:
| Provider | Required Entries |
|---|---|
*.google.com, *.googleapis.com, *.gstatic.com, accounts.google.com | |
*.facebook.com, *.fbcdn.net, connect.facebook.net, facebook.com | |
*.linkedin.com, *.licdn.com, linkedin.com | |
| Twitter/X | *.twitter.com, *.twimg.com, twitter.com, *.x.com, x.com |
| Apple | *.apple.com, *.icloud.com, appleid.apple.com |
| Microsoft/Azure AD | *.microsoft.com, *.microsoftonline.com, *.msftauth.net, login.microsoftonline.com |
| Stripe | *.stripe.com, js.stripe.com |
| PayPal | *.paypal.com, *.paypalobjects.com |
| Twilio (SMS) | *.twilio.com |
Step 4: Create Wireless Network
- Navigate to Settings → Wireless Networks
- Click Create New Wireless Network
- Configure:
- Name: Guest-WiFi
- Security: None (for captive portal)
- Portal: Enable
- Portal Profile: IronWifi-Portal
WPA-Enterprise Configuration
For 802.1X without captive portal:
- Create Wireless Network
- Configure:
- Security Mode: WPA2-Enterprise
- RADIUS Profile: IronWifi
Older Omada Versions
Omada v3
- Navigate to Wireless Control → Portal
- Configure external portal settings
- Add RADIUS server under authentication
Standalone EAP
For EAPs not managed by Omada:
- Access EAP web interface
- Navigate to Wireless → Portal
- Configure external portal and RADIUS
Troubleshooting
If you encounter issues after configuration, use this table to diagnose and resolve common problems:
| Symptom | Cause | Solution |
|---|---|---|
| Portal not appearing | Portal configuration or Free Authentication misconfiguration | Verify Portal is enabled on SSID, check External URL is correct, confirm Free Authentication includes splash page IP (107.178.250.42) |
| RADIUS connection failed | Incorrect RADIUS settings or network connectivity | Test RADIUS profile connectivity in controller, verify IP, port, and secret, check firewall rules allow RADIUS traffic |
| Authentication issues | User credentials or logging problems | Review controller logs under Insights, check IronWifi authentication logs in Console, verify user credentials are correct |