How to Enable RADIUS with Entra ID Authentication in TP-Link Omada

  1. Registering the application in your tenant
  2. Creating Cloud Radius Instance
  3. Being a Subscription Owner or Network Administrator or Log Reader
  4. Register your IP Address in your RADIUS Access Policies

For your TP-Link Omada network to authenticate users with Entra ID, you need to enable RADIUS authentication and connect it to a RADIUS service that supports Entra ID. This guide will show you how to enable RADIUS authentication in WPA-Enterprise with TP-Link Omada and EZRADIUS. How RADIUS Authentication Works with  TP-Link Omada and EZRADIUS and Entra ID

What are the Different Types of Entra ID Authentication for Network?

When using Entra ID for network authentication, you can choose between two types of authentication: EAP-TLS (Certificate Based Authentication), and EAP-TTLS (Password Based Authentication). EAP-TLS is the most secure and convenient method of authentication, as it uses certificates to authenticate users meaning that the user does not have to enter their password or do anything. If you are using an MDM, you can use it to distribute the certificates to the user and setup automatic wifi authentication. EAP-TTLS is a password-based authentication method that allows your users to authenticate with their Entra ID username and password (Note: You might have to do some changes to enable EAP-TTLS with Entra ID).

  1. Go to your TP-Link OmadaController.
  2. Click on “Settings” on the bottom of the left menu. TP-Link Omada Controller Settings
  3. Click on “Authentication” and then “RADIUS” on the secondary menu on the left. How to Setup RADIUS Authentication in TP-Link Omada Network Controller
  4. Click on “Create New RADIUS Profile”. How to Create New RADIUS Profile in TP-Link Omada Network Controller
  5. In the “Name” field, enter a name for your RADIUS profile.
  6. If you are assigning the VLAN with your RADIUS authentication, check the “VLAN Assignment” box. How to Setup dynamic VLAN with RADIUS Profile in TP-Link Omada Network Controller
  7. In another Tab, go to your EZRADIUS dashboard and copy the “RADIUS Server IP” from the “Policies” page (You can repeat this step for the three IPs for higher availability). How to Setup Cloud RADIUS Profile in TP-Link Omada Network Controller
  8. From your Policy Details, Copy the “Shared Secret” you setup for this client IP Address (In this case, my IP address is 34.2.2.1) How to Setup Cloud RADIUS Profile in TP-Link Omada Network Controller
  9. Now we will go back to the TP-Link Omada Network Controller and paste the “RADIUS Server IP” in the “RADIUS Server” field.
  10. In the “Port” field, enter “1812”.
  11. In the “Authentication” field, paste the “Shared Secret” you copied from EZRADIUS.
  12. If you want to add multiple IPs for higher availability, click on “Add New Authentication Server” and repeat the steps for the other two IPs. How to Setup Cloud RADIUS Profile in TP-Link Omada Network Controller
  13. If you want to enable Accounting (It gives you more information about each session such as data used, connection time, etc.), you can do so by clicking on the “RADIUS Accounting” checkbox and enabling it.
  14. Add the same IPs and Shared Secrets for Accounting Except the port is 1813 instead of 1812 (In the screenshot below, only one IP address was added for accounting to fit everything in one screenshot). How to Setup Cloud RADIUS Accounting Profile in TP-Link Omada Network Controller
  15. Click on “Save” In the bottom left. How to Add RADIUS Server for Entra ID in TP-Link Omada Network Controller
  16. Now that we have added the RADIUS profile, we need to go to “Wireless Networks” and the “WLAN” tab on the left. How to Add RADIUS Server for Entra ID in TP-Link Omada Network WIFI Controller
  17. In this tutorial we are going to assume that you have not created your network, but you can go in and modify an existing. But in this case we will click “Create New Wireless Network”. How to Add RADIUS Server for Entra ID in TP-Link Omada Network WIFI Controller
  18. Enter the “SSID” for your network.
  19. Select the bands you want to use for this network.
  20. Select “WPA Enterprise” for the “Security”.
  21. Select the RADIUS profile you created in the “RADIUS Profile” dropdown.
  22. Click on “Apply” In the bottom left. How to Add Entra ID Authentication in TP-Link Omada Network WIFI Controller
  23. Now that you have added the RADIUS profile to your network, you can connect your devices to your network using Entra ID authentication or local RADIUS accounts.

Now that we have setup your TP-Link Omada network with RADIUS authentication, you can connect your devices to your network using Entra ID by either using EAP-TLS or EAP-TTLS. If you are using EAP-TLS, you can use an MDM to distribute the certificates to your devices (if you are using EZCA, you can also create a self-service user certificate to test). If you are using EAP-TTLS with password you might have to setup your device for EAP-TTLS PAP Authentication to be able to test your network using your Entra ID username and password.