| Mode | 4. 3. 2 Configure LAN Networks The LAN function allows you to configure wired internal network. Based on 802.1Q VLAN, Omada Controller provides a convenient and flexible way to separate and deploy the network. The network can be logically segmented by departments, application, or types of users, without regard to geographic locations. To create a LAN, follow the guidelines: 1 ) Create a Network with specific purpose. For Layer 2 isolation, create a network as VLAN. To realize inter-VLAN routing, create a network as Interface , which is configured with a VLAN interface. 2 ) Create a port profile for the network. The profile defines how the packets in both ingress and egress directions are handled. 3 ) Assign the port profile to the desired ports of the switch to activate the LAN. | Create a Network | | Create a Port Profile | | Assign the Port Profile to the Ports |  Note: | A default Network (default VLAN) named LAN is preconfigured as Interface and is associated with all LAN ports of the Omada Gateway and all switch ports. The VLAN ID of the default Network is 1. The default Network can be edited, but not deleted. | 1. Go to Settings > Wired Networks > LAN > Networks to load the following page. 2. Click + Create New LAN to load the following page, enter a name to identify the network, and select the purpose for the network. | Purpose | Interface: Create the network with a Layer 3 interface, which is required for inter-VLAN routing. VLAN: Create the network as a Layer 2 VLAN. | 3. Configure the parameters according to the purpose for the network. â? Interface | LAN Interface | | VLAN | | Gateway/Subnet | | Domain Name | | IGMP Snooping | | DHCP Server | | DHCP Range | Update DHCP Range beside the Gateway/Subnet entry to get the IP address range populated automatically, and edit the range according to your needs. | | DNS Server | Auto: The DHCP server automatically assigns DNS server for devices in the network. It uses the IP address specified in the Gateway/Subnet entry as the DNS server address. Manual: Specify DNS servers manually. Enter the IP address of a server in each DNS server field. | | Lease TIme | | Default Gateway | Auto: The DHCP server automatically assigns default gateway for devices in the network. It uses the IP address specified in the Gateway/Subnet entry as the default gateway address. Manual: Specify default gateway manually. Enter the IP address of the default gateway in the field. | | DHCP Omada Controller | | Legal DHCP Servers | | Option 60 | | Option 66 | It specifies the TFTP server information and supports a single TFTP server IP address. | | Option 138 | It is used in discovering the devices by the Omada controller. | You can configure IPv6 connections for the LAN clients based on you needs. First, determine the method whereby the gateway assigns IPv6 addresses to the clients in the local network. Some clients may support only a few of these connection types, so you should choose it according to the compatibility of clients in the local network. | IPv6 Interface Type | None : IPv6 connection is not enabled for the clients in the local network. DHCPv6 : The gateway assigns an IPv6 address and other parameters including the DNS server address to each client using DHCPv6. SLAAC+Stateless DHCP : The gateway assigns the IPv6 address prefix to each client and the client automatically generates its own IPv6 address. Also, the gateway assigns other parameters including the DNS server address to each client using DHCPv6. SLAAC+RDNSS : The gateway assigns the IPv6 address prefix to each client and the client automatically generates its own IPv6 address. Also, the gateway assigns other parameters including the DNS server address to each client using the RDNSS option in RA (Router Advertisem*nt). Pass-Through : Select this type if the WAN ports of the gateway use the Pass-Through for IPv6 connections. | | | Gateway/Subnet | | DHCP Range | beside the Gateway/Subnet entry to get the IP address range populated automatically, and edit the range according to your needs. | | Lease Time | | DHCPv6 DNS | | | Prefix | Manual Prefix : With Manual Prefix selected, enter the prefix in the Address Prefix field. Get from Prefix Delegation : With Get from Prefix Delegation selected, select the WAN port with Prefix Delegation configured, and the clients will get the address prefix from the Prefix Delegation. | | IPv6 Prefix ID | The range of IPv6 Prefix ID is determined by the larger value of Prefix Delegation Size and Prefix Delegation Length (obtained from the ISP). Note that if the Prefix Delegation Length is larger than 64, the IPv6 Prefix ID cannot be obtained from Prefix Delegation, please select another method. Go to Settings > Wired Network > Internet to configure Prefix Delegation Size. | | DNS Server | Auto : With Auto selected, the DHCP server automatically assigns DNS server for devices in the network. Manual : With Manual selected, enter the IP address of a server in each DNS server field. | | | Prefix | Manual Prefix : With Manual Prefix selected, enter the prefix in the Address Prefix field. Get from Prefix Delegation : With Get from Prefix Delegation selected, select the WAN port with Prefix Delegation configured, and the clients will get the address prefix from the Prefix Delegation. | | IPv6 Prefix ID | | DNS Server | Auto : With Auto selected, the DHCP server automatically assigns DNS server for devices in the network. Manual : With Manual selected, enter the IP address of a server in each DNS server field. | | | IPv6 Prefix Delegation Interface | | VLAN | | IGMP Snooping | | Legal DHCP Servers | 4. Click Save . The new LAN is added to the LAN list. You can click in the ACTION column to edit the LAN. You can click in the ACTION column to delete the LAN. | Create a Network | | Create a Port Profile | | Assign the Port Profile to the Ports | Note: | â? Three default port profiles are preconfigured on the controller. They can be viewed, but not edited or deleted. All: In the All profile, all networks except the default network (LAN) are configured as Tagged Network, and the native network is the default network (LAN). This profile is assigned to all switch ports by default. Disable: In the Disable profile, no networks are configured as the native network, Tagged Networks and Untagged Networks. With this profile assigned to a port, the port does not belong to any VLAN. LAN: In the LAN profile, the native network is the default network (LAN), and no networks are configured as Tagged Networks and Untagged Networks. â? When a network is created, the system will automatically create a profile with the same name and configure the network as the native network for the profile. In this profile, the network itself is configured as the Untagged Networks, while no networks are configured as Tagged Networks. The profile can be viewed and deleted, but not edited. | 1. Go to Wired Networks > LAN > Profiles to load the following page. 2. Click + Create New Port Profile to load the following page, and configure the following parameters. | Name | | PoE | Keep the Device's Settings: PoE keep enabled or disabled according to the switchesâ?settings. By default, the switches enable PoE on all PoE ports. Enable: Enable PoE on PoE ports. Disable: Disable PoE on PoE ports. | | Native Network | | Tagged Networks | | Untagged Networks | | Voice Network | | 802.1X Control | Settings > Authentication > 802.1X . Auto: The port is unauthorized until the client is authenticated by the authentication server successfully. Force Authorized: The port remains in the authorized state, sends and receives normal traffic without 802.1X authentication of the client. Force Unauthorized: The port remains in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the port. | | Port Isolation | | Loopback Control | Off : Disable loopback control on the port. Loopback Detection : Select loopback detection and it helps prevent loops on the port. It is used to detect loops that occurr on a specific port. When a loop is detected on a port, the switch will block the corresponding port . Spanning Tree : Select STP (Spanning Tree Protocal) to prevent loops in the network. STP helps block specific ports of the switches to build a loop-free topology and detect topology changes and automatically generate a new loop-free topology. 6. 3 Configure and Monitor Switches . | | LLDP-MED | | Bandwidth Control | Off: Disable Bandwidth Control for the port. Rate Limit: Select Rate limit to limit the ingress/egress traffic rate on each port. With this function, the network bandwidth can be reasonably distributed and utilized. Storm Control: Select Storm Control to allow the switch to monitor broadcast frames, multicast frames and UL-frames (Unknown unicast frames) in the network. If the transmission rate of the frames exceeds the set rate, the frames will be automatically discarded to avoid network broadcast storm. | | Ingress Rate Limit | Rate Limit selected, click the checkbox and specify the upper rate limit for receiving packets on the port. | | Egress Rate Limit | Rate Limit selected, click the checkbox and specify the upper rate limit for sending packets on the port. | | Broadcast Threshold | Storm Control selected, click the checkbox and specify the upper rate limit for receiving broadcast frames. The broadcast traffic exceeding the limit will be processed according to the Action configurations. | | Multicast Threshold | Storm Control selected, click the checkbox and specify the upper rate limit for receiving multicast frames. The multicast traffic exceeding the limit will be processed according to the Action configurations. | | UL-Frame Threshold | Storm Control selected, click the checkbox and specify the upper rate limit for receiving unknown unicast frames. The traffic exceeding the limit will be processed according to the Action configurations.. | | Action | Storm Control selected, select the action that the switch will take when the traffic exceeds its corresponding limit. With Drop selected, the port will drop the subsequent frames when the traffic exceeds the limit. With Shutdown selected, the port will be shutdown when the traffic exceeds the limit. | 3. Click Save . The new port profile is added to the profile list. You can click in the ACTION column to edit the port profile. You can click in the ACTION column to delete the port profile. | Create a Network | | Create a Port Profile | | Assign the Port Profile to the Ports | Note: | By default, there is a port profile named All, which is assigned to all switch ports by default. In the All profile, all networks except the default network (LAN) are configured as Tagged Network, and the native network is the default network (LAN). | 1. Go to Devices , and click the switch in the devices list to reveal the Properties window. Go to Ports, you can either click in the Action column to assign the port profile to a single port, or select the desired ports and click Edit Selected on the top to assign the port profile to multiple ports in batch . 2. Select the profile from the drop-down list to assign the port profile to the desired ports of the switch. You can enable profile overrides to customize the settings for the ports, and all the configuration here overrides the port profile. For details, refer to Chapter 6. Configure and Monitor Omada Managed Devices . 4. 4 Configure Wireless Networks Wireless networks enable your wireless clients to access the internet. Once you set up a wireless network, your EAPs typically broadcast the network name (SSID) in the air, through which your wireless clients connect to the wireless network and access the internet. A WLAN group is a combination of wireless networks. Configure each group so that you can flexibly apply these groups of wireless networks to different EAPs according to your needs. After setting up basic wireless networks, you can further configure WLAN Schedule, 802.11 Rate Control, and MAC Filter among other advanced settings. 4. 4. 1 Set Up Basic Wireless Networks To create, configure and apply wireless networks, follow these steps: 1 ) Create a WLAN group. 2 ) Create Wireless Networks 3 ) Apply the WLAN group to your EAPs | Create a WLAN Group | | Create Wireless Networks | | Apply the WLAN Group | Note: | By default, there is a WLAN group named Default, which is applied to all EAPs. If you simply want to configure wireless networks for the default WLAN group and apply it to all your EAPs, skip this step. | 1. Go to Settings > Wireless Networks to load the following page. 2. Select + Create New Group from the drop-down list of WLAN Group to load the following page. Enter a name to identify the WLAN group. 3. (Optional) If you want to create a new WLAN group based on an existing one, check Copy All SSIDs from the WLAN Group and select the desired WLAN group. Then you can further configure wireless networks based on current settings. 4. Click Save . The new WLAN Group is added to the WLAN Group list. You can select a WLAN Group from the list to further create and configure its wireless networks. You can click to edit the name of the WLAN Group. You can click to delete the WLAN Group. | Create a WLAN Group | | Create Wireless Networks | | Apply the WLAN Group | 1. Select the WLAN group for which you want to configure wireless networks from the drop-down list of WLAN Group. 2. Click + Create New Wireless Network to load the following page. Configure the basic parameters for the network. | Network Name (SSID) | | Band | | Guest Network | 3. Select the security strategy for the wireless network. â? None With None selected, the hosts can access the wireless network without authentication, which is applicable to lower security requirements. â? WEP Traffic is encrypted with a WEP Key, which you need to specify. WEP is not recommended because itâs insecure. â? WPA-Personal Traffic is encrypted with a Security Key, which you need to specify. WPA-Personal is more secure than WEP. â? WPA-Enterprise WPA-Enterprise requires an authentication server to authenticate wireless clients, and probably an accounting server to record the traffic statistics. Select a RADIUS Profile, which records the settings of the authentication server and accounting server. You can create a RADIUS Profile by clicking + Create New Radius Profile from the drop-down list of RADIUS Profile. For details, refer to 4. 9 Authentication . 4. (Optional) You can also configure 4. 4. 2 Advanced Settings , 4. 4. 3 WLAN Schedule , 4. 4. 4 802.11 Rate Control , and 4. 4. 5 MAC Filter according to your needs. Related topics are covered later in this chapter. 5. Click Apply . The new wireless network is added to the wireless network list under the WLAN group. You can click in the ACTION column to edit the wireless network. You can click in the ACTION column to delete the wireless network. | Create a WLAN Group | | Create Wireless Networks | | Apply the WLAN Group | Note: | By default, there is a WLAN group named Default, which is applied to all EAPs. If you simply want to configure wireless networks for the default WLAN group and apply it to all your EAPs, skip this step. | â? Apply to a Single EAP Go to Devices, select the EAP which you want to apply the WLAN group to. In the Properties window, go to Config > WLANs , select the WLAN group which you want to apply to the EAP. â? Apply to EAPs in batch 1. Go to Devices, select the APs tab, click Batch Action , and then select Batch Config , check the boxes of EAPs which you want to apply the WLAN group to, and click Done . 2. In the Properties window, go to Config > WLANs , select the WLAN group which you want to apply to the EAP. 4. 4. 2 Advanced Settings Go to Settings > Wireless Networks , click in the ACTION column of the wireless network which you want to configure, and click + Advanced Settings to load the following page. Configure the parameters and click Apply . | SSID Broadcast | | VLAN | With this option enabled, traffic in different wireless networks is marked with different VLAN tags according to the configured VLAN IDs. Then the EAPs work together with the switches which also support 802.1Q VLAN, to distribute the traffic to different VLANs according to the VLAN tags. As a result, wireless clients in different VLANs cannot directly communicate with each other. | | WEP Mode | Select the WEP authentication type. Open System : Wireless clients can pass the authentication and connect to the wireless network without any password. However, the correct password is required for data transmission. Shared Key : The correct password is required for wireless clients to pass the authentication, connect to the wireless network, and transmit data. Auto : EAPs automatically decide whether to use Open System or Shared Key in the authentication process. ASCII : ASCII format stands for any combination of keyboard characters of the specified length. Hexadecimal : Hexadecimal format stands for any combination of hexadecimal digits (0-9, A-F) with the specified length. 64Bit : The WEP key is 10 hexadecimal digits or 5 ASCII characters. 128Bit : The WEP key is 26 hexadecimal digits or 13 ASCII characters. 152Bit : The WEP key is 32 hexadecimal digits or 16 ASCII characters. | | WPA Mode | Select the version of WPA according to your needs. TKIP : TKIP stands for Temporal Key Integrity Protocol. AES : AES stands for Advanced Encryption Standard. We recommend that you select AES as the encryption type for it is more secure than TKIP. Auto: EAPs automatically decide whether to use TKIP or AES in the authentication process. | | Group Key Update Period | | Rate Limit | Download Limit : Set the download rate for each client to receive the traffic. Upload Limit : Set the upload rate for each client to transmit the traffic. | 4. 4. 3 WLAN Schedule WLAN Schedule can turn on or off your wireless network in the specific time period as you desire. Go to Settings > Wireless Networks , click in the ACTION column of the wireless network which you want to configure, and click + WLAN Schedule to load the following page. Enable WLAN schedule and configure the parameters .Then click Apply . | Action | Radio On : Turn on your wireless network within the time range you set, and turn it off beyond the time range. Radio Off : Turn off your wireless network within the time range you set, and turn it on beyond the time range. | | Time Range | + Create New Time Range Entry from the drop-down list of Time Range. For details, refer to 4. 8 Create Profiles . | 4. 4. 4 802.11 Rate Control Note: | 802.11 Rate Control is only available for certain devices. | 802.11 Rate Control can improve performance for higher-density networks by disabling lower bit rates and only allowing the higher. However, 802.11 Rate Control might make some legacy devices incompatible with your networks, and limit the range of your wireless networks. Go to Settings > Wireless Networks , click in the ACTION column of the wireless network which you want to configure, and click + 802.11 Rate Control to load the following page. Select 2.4 GHz and/or 5 GHz band to enable minimum data rate control according to your needs, move the slider to determine what bit rates your wireless network allows, and configure the parameters. Then click Apply . | Disable CCK Rates (1/2/5.5/11 Mbps) | | Require Clients to Use Rates at or Above the Specified Value | | Send Beacons at 1 Mbps/6 Mbps | 4. 4. 5 MAC Filter MAC Filter allows or blocks connections from wireless clients of specific MAC addresses. Go to Settings > Wireless Networks , click in the ACTION column of the wireless network which you want to configure, and click + MAC Filter to load the following page. Enable MAC Filter and configure the parameters .Then click Apply . | Policy | Allow List : Allow the connection of the clients whose MAC addresses are in the specified MAC Address List, while blocking others. Deny List : Block the connection of the clients whose MAC address are in the specified MAC Addresses List, while allowing others. | | MAC Address List | + Create New MAC Group from the drop-down list of MAC Address List. For details, refer to 4. 8 Create Profiles . | 4. 5 Network Security Network Security is a portfolio of features designed to improve the usability and ensure the safety of your network and data. Network security services include 4. 5. 1 ACL , 4. 5. 2 URL Filtering , and 4. 5. 3 Attack Defense , 4. 5. 4 Firewall , which implement policies and controls on multiple layers of defenses in the network. 4. 5. 1 ACL ACL (Access Control List) allows a network administrator to create rules to restrict access to network resources. ACL rules filter traffic based on specified criteria such as source IP addresses, destination IP addresses, and port numbers, and determine whether to forward the matched packets. These rules can be applied to specific clients or groups whose traffic passes through the gateway, switches and EAPs. The system filters traffic against the rules in the list sequentially. The first match determines whether the packet is accepted or dropped, and other rules are not checked after the first match. Therefore, the order of the rules is critical. By default, the rules are prioritized by their created time. The rule created earlier is checked for a match with higher priority. To reorder the rules, select a rule and drag it to a new position. If no rules match, the device forwards the packet because of an implicit Permit All clause. The system provides three types of ACL: â? Gateway ACL After Gateway ACLs are configured on the controller, they can be applied to the gateway to control traffic which is sourced from LAN ports and forwarded to the WAN ports. You can set the Network, IP address, port number of a packet as packet-filtering criteria in the rule. â? Switch ACL After Switch ACLs are configured on the controller, they can be applied to the switch to control inbound and outbound traffic through switch ports. You can set the Network, IP address, port number and MAC address of a packet as packet-filtering criteria in the rule. â? EAP ACL After EAP ACLs are configured on the controller, they can be applied to the EAPs to control traffic in wireless networks. You can set the Network, IP address, port number and SSID of a packet as packet-filtering criteria in the rule. To complete the ACL configuration, follow these steps: 1 ) Create an ACL with the specified type. 2 ) Define packet-filtering criteria of the rule, including protocols, source, and destination, and determine whether to forward the matched packets. â? Configuring Gateway ACL 1. Go to Settings > Network Security > ACL . On Gateway ACL tab, click to load the following page. 2. Define packet-filtering criteria of the rule, including protocols, source, and destination, and determine whether to forward the matched packets. Refer to the following table to configure the required parameters and click Apply . | Name | | Policy | Permit : Forward the matched packet. Deny : Discard the matched packet. | | Protocols | From the Source drop-down list, choose one of these options to specify the source of the packets to which this ACL applies: | Network | Settings > Wired Networks > LAN to create one. The gateway will examine whether the packets are sourced from the selected network. | | IP Group | +Create on this page or go to Settings > Profiles > Groups to create one. The gateway will examine whether the source IP address of the packet is in the IP Group. | | IP-Port Group | +Create on this page or go to Settings > Profiles > Groups to create one. The gateway will examine whether the source IP address and port number of the packet are in the IP-Port Group. | From the Destination drop-down list, choose one of these options to specify the destination of the packets to which this ACL applies: | IP Group | +Create on this page or go to Settings > Profiles > Groups to create one. The gateway will examine whether the destination IP address of the packet is in the IP Group. | | IP-Port Group | +Create on this page or go to Settings > Profiles > Groups to create one. The gateway will examine whether the destination IP address and port number of the packet are in the IP-Port Group. | â? Configuring Switch ACL 1. Go to Settings > Network Security > ACL . Under the Switch ACL tab, click to load the following page. 2. Define packet-filtering criteria of the rule, including protocols, source, and destination, and determine whether to forward the matched packets. Refer to the following table to configure the required parameters. | Name | | Status | | Policy | Permit : Forward the matched packet. Deny : Discard the matched packet. | | Protocols | | Ethertype | | Bi-Directional | From the Source drop-down list, choose one of these options to specify the source of the packets to which this ACL applies: | Network | Settings > Wired Networks > LAN to create one. The switch will examine whether the packets are sourced from the selected network. | | IP Group | +Create on this page or go to Settings > Profiles > Groups to create one. The switch will examine whether the source IP address of the packet is in the IP Group. | | IP-Port Group | +Create on this page or go to Settings > Profiles > Groups to create one. The switch will examine whether the source IP address and port number of the packet are in the IP-Port Group. | | MAC Group | +Create on this page or go to Settings > Profiles > Groups to create one. The switch will examine whether the source MAC address of the packet is in the MAC Group. | From the Destination drop-down list, choose one of these options to specify the destination of the packets to which this ACL applies: | Network | Settings > Wired Networks > LAN to create one. The switch will examine whether the packets are forwarded to the selected network. | | IP Group | +Create on this page or go to Settings > Profiles > Groups to create one. The switch will examine whether the destination IP address of the packet is in the IP Group. | | IP-Port Group | +Create on this page or go to Settings > Profiles > Groups to create one. The switch will examine whether the destination IP address and port number of the packet are in the IP-Port Group. | | MAC Group | +Create on this page or go to Settings > Profiles > Groups to create one. The switch will examine whether the destination MAC address of the packet is in the MAC Group. | 3. Bind the switch ACL to a switch port or a VLAN and click Apply . Note that a switch ACL takes effect only after it is bound to a port or VLAN. | Binding Type | Ports : Select All ports or Custom ports as the interfaces to be bound with the ACL. With All ports selected, the rule is applied to all ports of the switch. With Custom ports selected, the rule is applied to the selected ports of the switch. Click the ports from the Device List to select the binding ports. VLAN : Select a VLAN from the drop-down list as the interface to be bound with the ACL. If no VLANs have been created, you can select the default VLAN 1 (LAN), or go to Settings > Wired Networks > LAN to create one. | â? Configuring EAP ACL 1. Go to Settings > Network Security > ACL . Under the EAP ACL tab, click to load the following page. 2. Define packet-filtering criteria of the rule, including protocols, source, and destination, and determine whether to forward the matched packets. Refer to the following table to configure the required parameters and click Apply . | Name | | Status | | Policy | Permit : Forward the matched packet. Deny : Discard the matched packet. | | Protocols | From the Source drop-down list, choose one of these options to specify the source of the packets to which this ACL applies: | Network | Settings > Wired Networks > LAN to create one. The EAP will examine whether the packets are sourced from the selected network. | | IP Group | +Create on this page or go to Settings > Profiles > Groups to create one. The EAP will examine whether the source IP address of the packet is in the IP Group. | | IP-Port Group | +Create on this page or go to Settings > Profiles > Groups to create one. The EAP will examine whether the source IP address and port number of the packet are in the IP-Port Group. | | SSID | Settings > Wireless Networks to create one. The EAP will examine whether the SSID of the packet is the SSID selected here. | From the Destination drop-down list, choose one of these options to specify the destination of the packets to which this ACL applies: | Network | Settings > Wired Networks > LAN to create one. The EAP will examine whether the packets are forwarded to the selected network. | | IP Group | +Create on this page or go to Settings > Profiles > Groups to create one. The EAP will examine whether the destination IP address of the packet is in the IP Group. | | IP-Port Group | +Create on this page or go to Settings > Profiles > Groups to create one. The EAP will examine whether the destination IP address and port number of the packet are in the IP-Port Group. | 4. 5. 2 URL Filtering URL Filtering allows a network administrator to create rules to block or allow certain websites, which protects it from web-based threats, and deny access to malicious websites. In URL filtering, the system compares the URLs in HTTP, HTTPS and DNS requests against the lists of URLs that are defined in URL Filtering rules, and intercepts the requests that are directed at a blocked URLs. These rules can be applied to specific clients or groups whose traffic passes through the gateway and EAPs. The system filters traffic against the rules in the list sequentially. The first match determines whether the packet is accepted or dropped, and other rules are not checked after the first match. Therefore, the order of the rules is critical. By default, the rules are prioritized based on the sequence they are created. The rule created earlier is checked for a match with a higher priority. To reorder the rules, select a rule and drag it to a new position. If no rules match, the device forwards the packet because of an implicit Permit All clause. Note that URL Filtering rules take effects with a higher priority over ACL rules. That is, the system will process the URL Filtering rule first when the URL Filtering rule and ACL rules are configured at the same time. To complete the URL Filtering configuration, follow these steps: 1 ) Create a new URL Filtering rule with the specified type. 2 ) Define filtering criteria of the rule, including source, and URLs, and determine whether to forward the matched packets. â? Configuring Gateway Rules 1. Go to Settings > Network Security > URL Filtering . Under the Gateway Rules tab, click to load the following page. 2. Define filtering criteria of the rule, including source and URLs, and determine whether to forward the matched packets. Refer to the following table to configure the required parameters and click Apply . | Name | | Status | | Policy | Deny : Discard the matched packet and the clients cannot access the URLs. Permit : Forward the matched packet and clients can access the URLs. | | Source Type | Network : With Network selected, select the network you have created from the Network drop-down list. If no networks have been created, you can select the default network (LAN), or go to Settings > Wired Networks > LAN to create one. The gateway will filter the packets sourced from the selected network. IP Group : With IP Group selected, select the IP Group you have created from the IP Group drop-down list. If no IP Groups have been created, click +Create New IP Group on this page or go to Settings > Profiles > Groups to create one. The gateway will examine whether the source IP address of the packet is in the IP Group. | | URLs | URL address should be given in a valid format. The URL which contains a wildcard(*) is supported. One URL with a wildcard(*) can match mutiple subdomains. For example, with *.tp-link.com specified, community.tp-link.com will be matched. | â? Configuring EAP Rules 1. Go to Settings > Network Security > URL Filtering . On EAP Rules tab, click to load the following page. 2. Define filtering criteria of the rule, including source and URLs, and determine whether to forward the matched packets. Refer to the following table to configure the required parameters and click Apply . | Name | | Status | | Policy | Deny : Discard the matched packet and the clients cannot access the URLs. Permit : Forward the matched packet and clients can access the URLs. | | Source Type | | URLs | URL address should be given in a valid format. The URL which contains a wildcard(*) is supported. One URL with a wildcard(*) can match mutiple subdomains. For example, with *.tp-link.com specified, community.tp-link.com will be matched. | 4. 5. 3 Attack Defense Overview Attacks initiated by utilizing inherent bugs of communication protocols or improper network deployment have negative impacts on networks. In particular, attacks on a network device can cause the device or network paralysis. With the Attack Defense feature, the gateway can identify and discard various attack packets in the network, and limit the packet receiving rate. In this way, the gateway can protect itself and the connected network against malicious attacks. The gateway provides two types of Attack Defense: â? Flood Defense If an attacker sends a large number of fake packets to a target device, the target device is busy with these fake packets and cannot process normal services. Flood Defense detects flood packets in real time and limits the receiving rate of the packets to protect the device. Flood attacks include TCP SYN flood attacks, UDP flood attacks, and ICMP flood attacks. â? Packet Anomaly Defense Anomalous packets are packets that do not conform to standards or contain errors that make them unsuitable for processing. Packet Anomaly Defense discards the illegal packets directly. â? Configuring Flood Defense Go to Settings > Network Security > Attack Defense . In the Flood Defense, click the checkbox and set the corresponding limit of the rate at which specific packets are received. | Multi-Connections TCP SYN Flood | With this feature enabled, the gateway limits the rate of receiving TCP SYN packets from all the clients to the specified rate. | | Multi-Connections UDP Flood | With this feature enabled, the gateway limits the rate of receiving UDP packets from all the clients to the specified rate. | | Multi-Connections ICMP Flood | With this feature enabled, the system limits the rate of receiving ICMP packets from all the clients to the specified rate. | | Stationary Source TCP SYN Flood | With this feature enabled, the gateway limits the rate of receiving TCP SYN packets from a single client to the specified rate. | | Stationary Source UDP Flood | With this feature enabled, the gateway limits the rate of receiving UDP packets from a single client to the specified rate. | | Stationary Source ICMP Flood | With this feature enabled, the system limits the rate of receiving ICMP packets from a single clients to the specified rate. | â? Configuring Packet Anomaly Defense Go to Settings > Network Security > Attack Defense . In the Packet Anomaly Defense, click the checkbox and set the corresponding limit of the rate at which specific packets are received. | Block Fragment Traffic | | Block TCP Scan (Stealth FIN/Xmas/Null) | Stealth FIN Scan: The attacker sends the packet with its SYN field and the FIN field set to 1. The SYN field is used to request initial connection whereas the FIN field is used to request disconnection. Therefore, the packet of this type is illegal. Null Scan: The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all control fields set to 0 are considered illegal. | | Block Ping of Death | | Block Large Ping | | Block Ping from WAN | | Block WinNuke Attack | | Block TCP Packets with SYN and FIN Bits Set | | Block TCP Packets with FIN Bit but No ACK Bit Set | | Block Packets with Specified Options | You can choose the options according to your needs. | 4. 5. 4 Firewall Overview Firewall is used to enhance the network security. In State Timeouts, you can specify a number of timeouts for sessions including TCP, UDP, and ICMP connection. The packets will be forwarded within the specified timeout. When there is no response after the specified time, the session or status will be closed. State timeout will help close inactive sessions and thus avoid network malfunction. In Firewall Options, you can further configure the gateway to prevent attacks like SYN flood attacks and broadcast ping. â? Configuring State Timeouts Go to Settings > Network Security > Firewall . In the Sate Timeouts, set the time limit for the different sessions. | ICMP | | Other | | TCP Close | | TCP Close Wait | | TCP Established | | TCP FIN Wait | | TCP Last ACK | | TCP SYN Recv | | TCP SYN Sent | | TCP Time Wait | | UDP Other | | UDP Stream | â? Configuring Firewall Options Go to Settings > Network Security > Firewall . In the Sate Timeouts, set the time limit for the different sessions. | Broadcast Ping | | Receive Redirects | | Send Redirects | | SYN Cookies | 4. 6 Transmission Transmission helps you control network traffic in multiple ways. You can add policies and rules to control transmission routes and limit the session and bandwidth. 4. 6. 1 Routing â? Static Route Network traffic is oriented to a specific destination, and Static Route designates the next hop or interface where to forward the traffic. â? Policy Routing Policy Routing designates which WAN port the router uses to forward the traffic based on the source, the destination, and the protocol of the traffic. â? Static Route 1. Go to Setting > Transmission > Routing > Static Route . Click + Create New Route to load the following page and configure the parameters. | Name | | Status | | Destination IP/Subnet | + Add Subnet to specify multiple Destination IP/Subnets and click to delete them. | | Route Type | Next Hop: With Next Hop selected, your devices forward the corresponding network traffic to a specific IP address. You need to specify the IP address as Next Hop. Interface: With Interface selected, your devices forward the corresponding network traffic through a specific interface. You need to specify the Interface according to your needs. | | Metric | 2. Click Create . The new Static Route entry is added to the table. You can click to edit the entry. You can click to delete the entry. â? Policy Routing 1. Go to Setting > Transmission > Routing > Policy Routing . Click + Create New Routing to load the following page and configure the parameters. | Name | | Status | | Protocols | | WAN | Use the other WAN port if the current WAN is down . | | Routing Legend | Select the type of the traffic source and destination. Network : Select the LAN Interfaces for the traffic source or destination. IP Group : Select the IP Group for the traffic source or destination. You can click + Create to create a new IP Group. IP-Port Group: Select the IP-Port Group for the traffic source or destination. You can click + Create to create a new IP-Port Group. | 2. Click Create . The new Policy Routing entry is added to the table. You can click to edit the entry. You can click to delete the entry. 4. 6. 2 NAT â? Port Forwarding You can configure Port Forwarding to allow internet users to access local hosts or use network services which are deployed in the LAN. Port Forwarding helps establish network connections between a host on the internet and the other in the LAN by letting the traffic pass through the specific port of the gateway. Without Port Forwarding, hosts in the LAN are typically inaccessible from the internet for the sake of security. â? ALG ALG ensures that certain application-level protocols function appropriately through your gateway. â? Port Forwarding 1. Go to Setting > Transmission > NAT > Port Forwarding . Click + Create New Rule to load the following page and configure the parameters. | Name | | Status | | Source IP | Any : The rule applies to traffic from any source IP address. Limited IP Address : The rule only applies to traffic from specific IP addresses. With this option selected, specify the IP addresses and subnets according to your needs. | | Interface | | DMZ | Destination IP in the LAN, port to port. You need to specify the Destination IP . Source Port and the Protocol is forwarded. The traffic is forwarded to the Destination Port of the Destination IP in the LAN. You need to specify the Source Port , Destination IP , Destination Port , and Protocol . | | Source Port | Source Port to receive the traffic from the internet. Only the traffic which matches the Source Port and the Protocol is forwarded. | | Destination IP | Destination IP in the LAN. | | Destination Port | Destination Port of the host in the LAN. | | Protocol | Source Port and the Protocol is forwarded. All . | 2. Click Create . The new Port Forwarding entry is added to the table. You can click to edit the entry. You can click to delete the entry. â? ALG Go to Setting > Transmission > NAT > ALG . Enable or disable certain types of ALG according to your needs and click Apply . | FTP ALG | â? The FTP server is in the LAN, while the FTP client is on the internet. â? The FTP server is on the internet, while the FTP client is in the LAN. â? The FTP server and FTP client are in different LANs. | | H.323 ALG | â? One of the endpoints is in the LAN, while the other is on the internet. â? The endpoints are in different LANs. | | PPTP ALG | â? The PPTP server is in the LAN, while the PPTP client is on the internet. â? The PPTP server is on the internet, while the PPTP client is in the LAN. â? The PPTP server and PPTP client are in different LANs. | | SIP ALG | â? One of the endpoints is in the LAN, while the other is on the internet. â? The endpoints are in different LANs. | | IPsec ALG | â? One of the endpoints is in the LAN, while the other is on the internet. â? The endpoints are in different LANs. | 4. 6. 3 Session Limit Session Limit optimizes network performance by limiting the maximum sessions of specific sources. 1. Go to Setting > Transmission > Session Limit . In Session Limit , enable Session Limit globally and click Apply . 2. In Session Limit Rule List , click + Create New Rule to load the following page and configure the parameters. | Name | | Status | | Source Type | Network : Limit the maximum sessions of specific LAN networks. With this option selected, select the networks, which you can customize in Wired Networks > LAN Networks . For detailed configuration of networks, refer to 4. 3. 2 Configure LAN Networks . IP Group : Limit the maximum sessions of specific IP Groups. With this option selected, select the IP Groups, which you can customize in Profiles > Groups . For detailed configuration of IP groups, refer to 4. 8 Create Profiles . | | Maximum Sessions | 3. Click Create . The new Session Limit rule is added to the list. You can click to edit the rule. You can click to delete the rule. 4. 6. 4 Bandwidth Control Bandwidth Control optimizes network performance by limiting the bandwidth of specific sources. 1. Go to Setting > Transmission > Bandwidth Control . In Bandwidth Control , enable Bandwidth Control globally and configure the parameters. Then click Apply . | Threshold Control | Test Speed tool to decide the actual Upstream Bandwidth and Downstream Bandwidth. | 2. In Bandwidth Control Rule List , click + Create New Rule to load the following page and configure the parameters. | Name | | Status | | Source Type | Network : Limit the maximum bandwidth of specific LAN networks. With this option selected, select the networks, which you can customize in Wired Networks > LAN Networks . For detailed configuration of networks, refer to 4. 3. 2 Configure LAN Networks . IP Group : Limit the maximum bandwidth of specific IP Groups. With this option selected, select the IP Groups, which you can customize in Profiles > Groups . For detailed configuration of IP groups, refer to 4. 8 Create Profiles . | | WAN | | Upstream Bandwidth | | Downstream Bandwidth | | Mode | Shared : The total bandwidth for all the local hosts is equal to the specified values. Individual : The bandwidth for each local host is equal to the specified values. | 3. Click Create . The new Bandwidth Control rule is added to the list. You can click to edit the rule. You can click to delete the rule. 4. 7 Configure VPN VPN (Virtual Private Network) provides a means for secure communication between remote computers across a public wide area network (WAN), such as the internet. Omada managed gateways supports various types of VPN. VPN configurations include 4. 7. 1 VPN and 4. 7. 2 VPN User . 4. 7. 1 VPN VPN (Virtual Private Network) gives remote LANs or users secure access to LAN resources over a public network such as the internet. Virtual indicates the VPN connection is based on the logical end-to-end connection instead of the physical end-to-end connection. Private indicates users can establish the VPN connection according to their requirements and only specific users are allowed to use the VPN connection. The core of VPN connection is to realize tunnel communication, which fulfills the task of data encapsulation, data transmission and data decompression via the tunneling protocol. The gateway supports common tunneling protocols that a VPN uses to keep the data secure: â? IPsec IPsec (IP Security) can provide security services such as data confidentiality, data integrity and data authentication at the IP layer. IPsec uses IKE (Internet Key Exchange) to handle negotiation of protocols and algorithms based on the user-specified policy, and to generate the encryption and authentication keys to be used by IPsec. IPsec can be used to protect one or more paths between a pair of hosts, between a pair of security gateways, or between a security gateway and a host. â? PPTP PPTP (Point-to-Point Tunneling Protocol) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP uses the username and password to validate users. â? L2TP L2TP (Layer 2 Tunneling Protocol) provides a way for a dialup user to make a virtual Point-to-Point Protocol (PPP) connection to an L2TP network server (LNS), which can be a security gateway. L2TP sends PPP frames through a tunnel between an L2TP access concentrator (LAC) and the LNS. Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. L2TP uses the username and password to validate users. â? OpenVPN OpenVPN uses OpenSSL for encryption of UDP and TCP for traffic transmission. OpenVPN uses a client-server connection to provide secure communications between a server and a remote client over the internet. One of the most important steps in setting up OpenVPN is obtaining a certificate which is used for authentication. Omada SDN controller supports generating the certificate which can be downloaded as a file on your computer. With the certificate imported, the remote clients are checked out by the certificate and granted access to the LAN resources. There are many variations of virtual private networks, with the majority based on two main models: â? Site-to-Site VPN A Site-to-Site VPN creates a connection between two networks at different geographic locations. Typically, headquarters set up Site-to-Site VPN with the subsidiary to provide the branch office with access to the headquartersâ?network. Omada managed gateway supports two types of Site-to-Site VPNs: â? Auto IPsec The controller automatically creates an IPsec VPN tunnel between two sites on the same controller. The VPN connection is bidirectional. That is, creating an Auto IPsec VPN from site A to site B also provides connectivity from site B to site A, and nothing is needed to be configured on site B. â? Manual IPsec You create an IPsec VPN tunnel between two peer routers over internet manually, from a local router to a remote router that supports IPsec. Omada managed gateway on this site is the local peer router. â? Client-to-Site VPN A Client-to-Site VPN creates a connection to the LAN from a remote host. It is useful for teleworkers and business travelers to access their central LAN from a remote location without compromising privacy and security. The first step to build a Client-to-Site VPN connection is to determine the role of the gateways and which VPN tunneling protocol to use: â? VPN Server The gateway on the central LAN works as a VPN server to provide a remote host with access to the local network. The gateway which functions as a VPN server can use L2TP, PPTP, IPsec, or OpenVPN as the tunneling protocol. â? VPN Client Either the remote userâs gateway or the remote userâs laptop or PC works as the VPN client. When the remote userâs gateway works as the VPN client, the gateway helps create VPN tunnels between its connected hosts and the VPN server. The gateway which functions as a VPN client can use L2TP, PPTP, or OpenVPN as the tunneling protocol. When the remote userâs laptop or PC works as the VPN client, the laptop or PC uses a VPN client software program to create VPN tunnels between itself and the VPN server. The VPN client software program can use L2TP, PPTP, IPsec, or OpenVPN as the tunneling protocol. Note: | In scenario 1, you need to configure VPN client and VPN server separately on the gateways, while remote hosts can access the local networks without running VPN client software. In scenario 2, you need to configure VPN server on the gateway, and then configure the VPN client software program on the remote userâs laptop or PC, while the remote userâs gateway doesnât need any VPN configuration. | Here is the infographic to provide a quick overview of VPN solutions. To complete the VPN configuration, follow these steps: 1 ) Create a new VPN policy and select the purpose of the VPN according to your needs. Select Site-to-Site if you want the network connected to another. Select Client-to-Site if you want some hosts connected to the network. 2 ) Select the VPN tunneling protocol and configure the VPN policy based on the protocol. â? Configuring Site-to-Site VPN Omada managed gateway supports two types of Site-to-Site VPNs: Auto IPsec and Manual IPsec . â? Configuring Auto IPsec VPN 1. Go to Settings > VPN . Click to load the following page. 2. Enter a name to identify the VPN policy and select the purpose as Site-to-Site VPN. Refer to the following table to configure the required parameters and click Create . | Name | | Purpose | Site-to-Site VPN . | | VPN Type | Auto IPsec . | | Status | | Remote Site | â? Configuring Manual IPsec VPN 1. Go to Settings > VPN . Click to load the following page. 2. Enter a name to identify the VPN policy and select the purpose as Site-to-Site VPN. Refer to the following table to configure the basic parameters and click Create . | Name | | Purpose | Site-to-Site VPN . | | VPN Type | Manual IPsec . | | Status | | Remote Gateway | | Remote Subnets | | Local Networks | | Pre-Shared Key | | WAN | 3. Click Advanced Settings to load the following page. Advanced settings include Phase-1 settings and Phase-2 settings. Phase-1 is used to set up a secure encrypted channel which the two peers can negotiate Phase-2, and then establish the IKE Security Associations (IKE SA). Phase-2 is used to negotiate about a set of parameters that define what traffic can go through the VPN, and how to encrypt and authenticate the traffic, then establish the IPsec Security Associations (IPsec SA). Refer to the following table to complete the configurations according to your actual needs and click Create . For Phase-1 Settings: | Phase-1 Settings | | Internet Key Exchange Version | Note that both peer gateways must be configured to use the same IKE version. | | Proposal | Authentication algorithms verify the data integrity and authenticity of a message. The types of authentication includes MD5 and SHA1. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. The DH group includes DH1, DH2, DH5, DH14, DH15, DH16, DH19, DH20, DH21, DH25, and DH26. | Exchange Mode | Main Mode: This mode provides identity protection and exchanges more information, which applies to scenarios with higher requirements for identity protection. Aggressive Mode: This mode establishes a faster connection but with lower security, which applies to scenarios with lower requirements for identity protection. | | Negotiation Mode | Initiator Mode: This mode means that the local device initiates a connection to the peer. Responder Mode: This mode means that the local device waits for the connection request initiated by the peer. | | Local ID Type | IP Address: Select IP Address to use the IP address for authentication. Name: Select Name, and then enter the name in the Local ID field to use the name as the ID for authentication. | Local ID | | Remote ID Type | IP Address: Select IP Address to use the IP address for authentication. Name: Select Name, and then enter the name in the Remote ID field to use the name as the ID for authentication. | Remote ID | | SA Lifetime | | DPD | | DPD Interval | For Phase-2 Settings: | Phase-2 Settings | | Encapsulation Mode | | Proposal | Note that both peer gateways must be configured to use the same Proposal. | | PFS | | SA Lifetime | â? Configuring Client-to-Site VPN Omada managed gateway supports seven types of client-to-Site VPNs depending on the role of your Omada managed gateway and the protocol that you used: Configuring the gateway as a VPN server using L2TP Configuring the gateway as a VPN server using PPTP Configuring the gateway as a VPN server using IPsec Configuring the gateway as a VPN server using OpenVPN Configuring the gateway as a VPN client using L2TP Configuring the gateway as a VPN client using PPTP Configuring the gateway as a VPN client using OpenVPN â? Configuring the gateway as a VPN server using L2TP 1. Go to Settings > VPN . Click to load the following page. 2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the required parameters and click Create . | Name | | Purpose | Client-to-Site VPN . | | VPN Type | VPN Server - L2TP . | | Status | | IPsec Encryption | Encrypted: Select Encrypted to encrypt the L2TP tunnel by IPsec (L2TP over IPsec). With Encrypted selected, enter the Pre-shared Key for IKE authentication. VPN server and VPN client must use the same pre-shared secret key for authentication. Unencrypted: With Unencrypted selected, the L2TP tunnel will not be encrypted by IPsec. Auto: With Auto selected, the L2TP server will determine whether to encrypt the tunnel according to the client âs encryption settings. And enter the Pre-shared Key for IKE authentication. VPN server and VPN client must use the same pre-shared secret key for authentication. | | Local Networks | | Pre-shared Key | | WAN | | IP Pool | 3. Add the VPN users account to validate remote hosts. To create VPN users, refer to 4. 7. 2 VPN User . â? Configuring the gateway as a VPN server using PPTP 1. Go to Settings > VPN . Click to load the following page. 2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the required parameters and click Create . | Name | | Purpose | Client-to-Site VPN . | | VPN Type | VPN Server - PPTP . | | Status | | MPPE Encryption | Encrypted: With Encrypted selected, the PPTP tunnel will be encrypted by MPPE. Unencrypted: With Unencrypted selected, the PPTP tunnel will be not encrypted by MPPE. | | Local Networks | | WAN | | IP Pool | 3. Add the VPN users account to validate remote hosts. To create VPN users, refer to 4. 7. 2 VPN User . â? Configuring the gateway as a VPN server using IPsec 1. Go to Settings > VPN . Click to load the following page. 2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the basic parameters and click Create . | Name | | Purpose | Client-to-Site VPN . | | VPN Type | VPN Server - IPsec . | | Status | | Remote Host | | Local Networks | | Pre-Shared Key | | WAN | | IP Pool | 3. Click Advanced Settings to load the following page. Advanced settings include Phase-1 settings and Phase-2 settings. Phase-1 is used to set up a secure encrypted channel which the two peers can negotiate Phase-2, and then establish the IKE Security Associations (IKE SA). Phase-2 is used to negotiate about a set of parameters that define what traffic can go through the VPN, and how to encrypt and authenticate the traffic, then establish the IPsec Security Associations (IPsec SA). Refer to the following table to complete the configurations according to your actual needs and click Create . For Phase-1 Settings: | Phase-1 Settings | | Internet Key Exchange Version | Note that both VPN peers must be configured to use the same IKE version. | | Proposal | Authentication algorithms verify the data integrity and authenticity of a message. The types of authentication includes MD5 and SHA1. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. The DH group includes DH1, DH2, DH5, DH14, DH15, DH16, DH19, DH20, DH21, DH25, and DH26. | Exchange Mode | Main Mode: This mode provides identity protection and exchanges more information, which applies to scenarios with higher requirements for identity protection. Aggressive Mode: This mode establishes a faster connection but with lower security, which applies to scenarios with lower requirements for identity protection. | | Negotiation Mode | Initiator Mode: This mode means that the local device initiates a connection to the peer. Responder Mode: This mode means that the local device waits for the connection request initiated by the peer. | | Local ID Type | IP Address: Select IP Address to use the IP address for authentication. Name: Select Name, and then enter the name in the Local ID field to use the name as the ID for authentication. | Local ID | | Remote ID Type | IP Address: Select IP Address to use the IP address for authentication. Name: Select Name, and then enter the name in the Remote ID field to use the name as the ID for authentication. | Remote ID | | SA Lifetime | | DPD | | DPD Interval | For Phase-2 Settings: | Phase-2 Settings | | Encapsulation Mode | | Proposal | Note that both peer gateways must be configured to use the same Proposal. | | PFS | | SA Lifetime | â? Configuring the gateway as a VPN server using OpenVPN 1. Go to Settings > VPN . Click to load the following page. 2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the required parameters and click Create . | Name | | Purpose | Client-to-Site VPN . | | VPN Type | VPN Server - OpenVPN . | | Status | | Protocol | | Service Port | | Local Networks | | WAN | | IP Pool | 3. After clicking Create to save the VPN policy, go to VPN Policy List and click in the Action column to export the OpenVPN file that ends in .ovpn which is to be used by the remote client. The exported OpenVPN file contains the certificate and configuration information. â? Configuring the gateway as a VPN client using L2TP 1. Go to Settings > VPN . Click to load the following page. 2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the required parameters and click Create . | Name | | Purpose | Client-to-Site VPN . | | VPN Type | VPN Client - L2TP . | | Status | | Working Mode | NAT: With NAT (Network Address Translation) mode selected, the L2TP client uses the assigned IP address as its source addresses of original IP header when forwarding L2TP packets. Routing: With Routing selected, the L2TP client uses its own IP address as its source addresses of original IP header when forwarding L2TP packets. | | Username | | Password | | IPsec Encryption | Encrypted: Select Encrypted to encrypt the L2TP tunnel by IPsec (L2TP over IPsec). With Encrypted selected, enter the Pre-shared Key for IKE authentication. VPN server and VPN client must use the same pre-shared secret key for authentication. Unencrypted: With Unencrypted selected, the L2TP tunnel will be not encrypted by IPsec. | | Remote Server | | Remote Subnets | | Local Networks | | Pre-shared Key | | WAN | â? Configuring the gateway as a VPN client using PPTP 1. Go to Settings > VPN . Click to load the following page. 2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the required parameters and click Create . | Name | | Purpose | Client-to-Site VPN . | | VPN Type | VPN Client - PPTP . | | Status | | Working Mode | NAT: With NAT (Network Address Translation) mode selected, the PPTP client uses the assigned IP address as its source addresses of original IP header when forwarding PPTP packets. Routing: With Routing selected, the PPTP client uses its own IP address as its source addresses of original IP header when forwarding PPTP packets. | | Username | | Password | | MPPE Encryption | Encrypted: Select Encrypted to encrypt the PPTP tunnel by MPPE. Unencrypted: With Unencrypted selected, the PPTP tunnel will be not encrypted by MPPE. | | Remote Server | | Remote Subnets | | Local Networks | | WAN | â? Configuring the gateway as a VPN client using OpenVPN 1. Go to Settings > VPN . Click to load the following page. 2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the required parameters and click Create . | Name | | Purpose | Client-to-Site VPN . | | VPN Type | VPN Client - OpenVPN . | | Status | | Remote Server | | Local Networks | | WAN | | Configuration | to import the OpenVPN file that ends in .ovpn generated by the OpenVPN server. Only one file can be imported. 4. 7. 2 VPN User VPN User is used to configure and record your custom settings for VPN configurations, and it allows you to configure VPN users that can be used for multiple VPN servers, including L2TP servers and PPTP servers. It saves you from setting the VPN users with the same configurations repeatedly when you want to apply the user in different VPN servers. To configure the VPN users, follow these steps: 1. Go to Settings > VPN > VPN User . Click +Create New VPN User to add a new entry of VPN User. 2. Specify the parameters and select the VPN policy with the type of VPN Server-L2TP/PPTP that the VPN user is applied to and click Create . | Username | | Password | | VPN Server | | Mode | Client: This mode allows the client to request for an IP address and the server supplies the IP addresses from the VPN IP Pool. With this mode selected, set maximum number of concurrent VPN connections with the same account in Maximum Connections. Network Extension Mode: This mode allows only clients from the configured subnet to connect to the server and obtain VPN services. With this mode selected, specify the subnet in Remote Subnets. | | Maximum Connections | | Remote Subnets | to specify the subnet. | To edit or delete the VPN users, click the icon in the Action column. | | | | Delete the VPN user. | 4. 8 Create Profiles Profiles section is used to configure and record your custom settings for site configurations. It includes Time Range and Groups profiles. In Time Range section, you can configure time templates for wireless schedule, PoE schedule, etc. In Groups section, you can configure groups based on IP, IP-Port and MAC addresses for ACL, Routing, NAT, etc. After creating the profiles, you can apply them to multiply configurations for different sites, saving you from repeatedly setting up the same information. 4. 8. 1 Time Range Time Range section allows you to customize time-related configurations. You can set different time range templates which can be shared and applied to wireless schedule, PoE schedule, etc. in site configuration. To configure the time range profiles, follow these steps: 1. Go to Settings > Profiles > Time Range . Click +Create New Time Range to add a new time range entry. By default, there is no entry in the list. 2. Enter a Name for the new entry, select the Day Mode, and specify the time range. Click Apply to save the entry. After saving the newly added entry, you can apply them to site configuration. To apply the customized time range profiles in configuration, refer to 4. 4. 3 WLAN Schedule , and 4. 10. 6 PoE Schedule . | Name | | Day Mode | Every Day , Weekday , Weekend , or Customized first before specifying the time range for each day. Every Day : You only need to set the time range once, and it will repeat every day. Weekday : You only need to set the time range once, and it will repeat every weekday from Monday to Friday. Weekend : You only need to set the time range once, and it will repeat every Saturday and Sunday. Customized : You are able to set different time range for the chosen day(s) based on your needs. When a day is not chosen, the WiFi is open all day by default. | You can view the name, day mode and time range in the list. To edit or delete the time range entry, click the icon in the Action column. | | | | Delete the entry. | 4. 8. 2 Groups Overview Groups section allows you to customize client groups based on IP, IP-Port, or MAC Address. You can set different rules for the groups profiles which can be shared and applied to ACL, Routing, NAT, etc. in site configuration. Configuration To configure the group profiles, follow these steps: 1. Go to Settings > Profiles > Groups . By default, there is an entry covering all IPs, and it is not editable and deletable. Click +Create New Group to add a new group entry. 2. Enter a name for the new group profile entry, and select the type for the new entry. â? Based on IP Group To configure a group profile based on IP Group, you are required to specify the IP subnets, while subnet mask is optional. You can click +Add Subnet to add new subnets, and click to delete them. â? Based on IP-Port Group To configure a group profile based on IP-Port Group, you are required to specify the port(s) for the entry, while it is optional to specify the IP subnet(s). If you only specify the port(s) without entering any IP subnet, it means the group contains the specified port(s) for all IPs. You can click +Add Subnet to add new IP subnets, click +Add Port to add ports, and click to delete them. â? Based on MAC Group To configure a group profile based on MAC Group, you are required to enter MAC Address(es) in the MAC Addresses List. There are three ways to add MAC address(es) to the MAC Addresses List. | | | | Add MAC addresses in batches. You can enter the MAC addresses and names in the input box or import them with files in the format of Excel, txt, and text. If you want to use the newly added MAC address(es) and names when they conflict with the existing ones, click the to allow it to override the curent MAC Access Control List. Note: 1. Each MAC address and name should be entered on a new line. The MAC address and name should be separated by a space. 2. Octets in a MAC address should be separated by a hyphen. For example, AA-BB-CC-DD-EE-FF. | | | 3. Click Apply to save the entry. After saving the newly added entry, you can apply them to site configuration. To apply the customized profiles in configuration, refer to 4. 5. 1 ACL , 4. 6. 1 Routing , 4. 6. 2 NAT . You can view the name, type, and count in the list. To view, edit or delete the group entry, click the icon in the Action column. | | | | Delete the entry. | 4. 8. 3 Rate Limit Overview Rate Limit allows you to customize rate-related configurations. You can set different rate limit templates. They can be bound with wireless network to limit the upload/download rate of clients connected the SSID, and applied to specific types of Portal, such as Local User and Voucher. After creating the profiles, you can apply them to multiple configurations, saving you from repeatedly setting up the same information. Configuration To configure the rate limit profiles, follow these steps: 1. Go to Settings > Profiles > Rate Limit . By default, there is an entry with no limits, and it can not be deleted. Click +Create New Rate Limit Profile to add a new group entry. 2. Enter a name and specify the download/upload rate limit for the new entry. After saving the newly added entry, you can apply them to other configurations. To apply the customized rate limit profiles in the related configurations, refer to 4. 9. 1 Portal , 4. 4. 1 Set Up Basic Wireless Networks , and 7. 1. 3 Using the Properties Window to Monitor and Manage the Clients . | Name | | Download Limit | | Upload Limit | 3. Click Apply to save the entry. After saving the newly added entry, you can apply them to site configuration. To apply the customized rate limit profiles in the related configurations, refer to 4. 9. 1 Portal , and 4. 4. 1 Set Up Basic Wireless Networks . You can view the name, download limit, and upload limit in the list. To view, edit or delete the rate limit profile, click the icon in the Action column. | | | | Delete the entry. | 4. 9 Authentication Authentication is a portfolio of features designed to authorize network access to clients, which enhances the network security. Authentication sevices include 4. 9. 1 Portal , 4. 9. 2 802.1X and 4. 9. 3 MAC-Based Authentication , covering all the needs to authenticate both wired and wireless clients. 4. 9. 1 Portal Portal authentication provides convenient authentication services to the clients that only need temporary access to the network, such as the customers in a restaurant or in a supermarket. To access the network, these clients need to enter the authentication login page and use the correct login information to pass the authentication. In addition, you can customize the authentication login page and specify a URL which the authenticated clients will be redirected to. Portal authentication takes effect on SSIDs and LAN networks. EAPs authenticate wireless clients which connect to the SSID with Portal configured, and the gateway authenticates wired clients which connect to the network with Portal configured. To make Portal authentication available for wired and wireless clients, ensure that both the gateway and EAPs are connected and working properly. The controller provides six types of Portal authentication: â? No Authentication With this authentication type configured, clients can pass the authentication and access the network without providing any login information. Clients just need to accept the terms (if configured) and click the Login button. â? Simple Password With this authentication type configured, clients are required to enter the correct password to pass the authentication. All clients use the same password which is configured in the controller. â? Hotspot With this authentication type configured, clients can access the network after passing any type of the authentication: â? Voucher Clients can use the unique voucher codes generated by the controller within a predefined time usage. Voucher codes can be printed out from the controller, so you can print the codes and distribute them to your costumers to tie the network access to consumption. â? Local User Clients are required to enter the correct username and password of the login account to pass the authentication. â? SMS Clients can get verification codes using their mobile phones and enter the received codes to pass the authentication. â? RADIUS Clients are required to enter the correct username and password which are stored in the RADIUS server to pass the authentication. â? External RADIUS Server Clients are required to enter the correct username and password created on the RADIUS server to pass the authentication. â? External Portal Server The option of External Portal Server is designed for the developers. They can customize their own authentication type like Google account authentication according to the interface provided by Omada Controller. â? Facebook With Facebook Portal configured, when clients connect to your Wi-Fi, they will be redirected to your Facebook page. To access the internet, clients need to log in their account or enter the password code in the Facebook page. Portal authentication can work with Access Control Policy, which grant specific network access to the users with valid identities. You can determine that the clients which didnât pass Portal authentication can only access the network resources allowed by Access Control Policy. â? Pre-Authentication Access Pre-Authentication Access allows unauthenticated clients to access the specific network resources. â? Authentication-Free Client Authentication-Free Clients allows the specific clients to access the specific network resources without authentication. To complete the Portal configuration, follow these steps: 1 ) Click to create new Portal entry. 2 ) Click to enable Portal, select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters including authentication type, authentication timeout and so on. 3 ) Customize the Portal page including the background picture, logo picture and so on. 4 ) (Optional) Configure access control policies including Pre-Authentication Access and Authentication-Free Clients if needed. The following part introduces how to configure each type of Portal authentication: No Authentication , Simple Password , Hotspot (Voucher, Local User, SMS, RADIUS), External RADIUS Server , External Portal Server and Facebook . â? Configuring Portal with No Authentication 1. Go to Settings > Authentication > Portal . On Portal tab, click to create new portal entry. Then click to enable Portal and load the following page. 2. Select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters including authentication type, authentication timeout and so on. | Portal Name | | Portal | to enable Portal. | | SSID & Network | | Authentication Type | | Authentication Timeout | | Daily Limit | | HTTPS Redirection | | Landing Page | The Original URL: Clients are directed to the URL they request for after they pass Portal authentication. The Promotional URL: Clients are directed to the specified URL after they pass Portal authentication. | 3. In the Portal Customization section, customize the Portal page including the background picture, logo picture and so on. | Type | Edit Current Page: Edit the related parameters to customize the Portal page based on the provided page. Import Customized Page: Click to import your unique Portal page for branding it as per your business. | | Default Language | | Background | Solid Color: Configure your desired background color by entering the hexadecimal HTML color code manually or through the color picker. Picture: Click and select a picture from your PC as the background. | | Logo | | Logo Picture | and select a picture from your PC as the logo. | | Logo Position | | Button Color | | Button Text Color | | Button Position | | Welcome Information | | Terms of Service | | Copyright | Click Advertisem*nt Options and c ustomize advertisem*nt pictures on the authentication page. | Advertisem*nt | | Picture Resource | and select pictures from your PC as the advertisem*nt pictures. When several pictures are added, they will be played in a loop. | | Advertisem*nt Duration Time | | Picture Carousel Interval | | Allow Users To Skip Advertisem*nt | 4. (Optional) Configure access control rules including Pre-Authentication Access and Authentication-Free Policy if needed. Go to Settings > Authentication > Portal . On Access Control tab, click the checkbox to enable Pre-Authentication Access and Authentication-Free Policy. | Pre-Authentication Access | | Pre-Authentication Access List | to configure the IP range or URL which unauthenticated clients are allowed to access. | | Authentication-Free Policy | | Authentication-Free Client List | and enter the IP address or MAC address of Authentication-Free clients. | â? Configuring Portal with Simple Password 1. Go to Settings > Authentication > Portal . On Portal tab, click to create new portal entry. Then click to enable Portal and load the following page. 2. Select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters including authentication type, authentication timeout and so on. | SSID & Network | | Authentication Type | | Password | | Authentication Timeout | | HTTPS Redirection | | Landing Page | The Original URL: Clients are directed to the URL they request for after they pass Portal authentication. The Promotional URL: Clients are directed to the specified URL here after they pass Portal authentication. | 3. In the Portal Customization section, customize the Portal page including the background picture, logo picture and so on. | Type | Edit Current Page: Edit the related parameters to customize the portal page based on the provided page. Import Customized Page: Click to import your unique Portal page for branding it as per your business. | | Default Language | | Background | Solid Color: Configure your desired background color by entering the hexadecimal HTML color code manually or through the color picker. Picture: Click and select a picture from your PC as the background. | | Logo | | Logo Picture | and select a picture from your PC as the logo. | | Logo Position | | Input Box Color | | Input Text Color | | Button Text Color | | Button Position | | Welcome Information | | Terms of Service | | Copyright | Click Advertisem*nt Options and c ustomize advertisem*nt pictures on the authentication page. | Advertisem*nt | | Picture Resource | and select pictures from your PC as the advertisem*nt pictures. When several pictures are added, they will be played in a loop. | | Advertisem*nt Duration Time | | Picture Carousel Interval | | Allow Users To Skip Advertisem*nt | 4. (Optional) Configure access control rules including Pre-Authentication Access and Authentication-Free Policy if needed. Go to Settings > Authentication > Portal . On Access Control tab, click the checkbox to enable Pre-Authentication Access and Authentication-Free Policy. | Pre-Authentication Access | | Pre-Authentication Access List | to configure the IP range or URL which unauthenticated clients are allowed to access. | | Authentication-Free Policy | | Authentication-Free Client List | and enter the IP address or MAC address of Authentication-Free clients. | â? Configuring Portal with Hotspot 1. Go to Settings > Authentication > Portal . On Portal tab, click to create new portal entry. Then click to enable Portal and load the following page. 2. Select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters. | SSID & Network | | Authentication Type | | Type | | HTTPS Redirection | | Landing Page | The Original URL: Clients are directed to the URL they request for after they pass Portal authentication. The Promotional URL: Clients are directed to the specified URL after they pass Portal authentication. | 3. With different types of Hotspot selected, configure the related parameters. â? Configuring Voucher Portal | Voucher | to manage the voucher codes. 7. 2. 2 Vouchers for detailed information about how to create vouchers. | â? Configuring Local Portal | Local User | to manage the information of the login accounts. 7. 2. 3 Local Users for detailed information about how to create Local Users. | â? Configuring SMS Portal Select SMS and configure the required parameters in the SMS section. | SMS | | Twilio SID | | Auth Token | | Operating Phone Number | | Maximum User Numbers | | Authentication Timeout | | Preset Country Code | â? Configuring RADIUS Portal Select RADIUS and configure the required parameters in the RADIUS section. | Authentication Timeout | | RADIUS Profile | from the drop-down list or to create one. The RADIUS profile records the information of the RADIUS server which provides a method for storing the authentication information centrally. | | Authentication Mode | | NAS ID | | Disconnected Requests | | Receiver Port | | Status | 4. In the Portal Customization section, customize the Portal page including the background picture, logo picture and so on. | Type | Edit Current Page: Edit the related parameters to customize the portal page based on the provided page. Import Customized Page: Click to import your unique Portal page for branding it as per your business. | | Default Language | | Background | Solid Color: Configure your desired background color by entering the hexadecimal HTML color code manually or through the color picker. Picture: Click and select a picture from your PC as the background. | | Logo | | Logo Picture | and select a picture from your PC as the logo. | | Logo Position | | Input Box Color | | Input Text Color | | Button Color | | Button Text Color | | Button Position | | Welcome Information | | Terms of Service | | Copyright | Click Advertisem*nt Options and c ustomize advertisem*nt pictures on the authentication page. | Advertisem*nt | | Picture Resource | and select pictures from your PC as the advertisem*nt pictures. When several pictures are added, they will be played in a loop. | | Advertisem*nt Duration Time | | Picture Carousel Interval | | Allow Users To Skip Advertisem*nt | 5. (Optional) Configure access control rules including Pre-Authentication Access and Authentication-Free Policy if needed. Go to Settings > Authentication > Portal . On Access Control tab, click the checkbox to enable Pre-Authentication Access and Authentication-Free Policy. | Pre-Authentication Access | | Pre-Authentication Access List | to configure the IP range or URL which unauthenticated clients are allowed to access. | | Authentication-Free Policy | | Authentication-Free Client List | and enter the IP address or MAC address of Authentication-Free clients. | â? Configuring Portal with External RADIUS Server 1. Go to Settings > Authentication > Portal . Click to enable Portal and load the following page. 2. Select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters including authentication type, authentication timeout and so on. | SSID & Network | | Authentication Type | | Authentication Timeout | | RADIUS Profile | from the drop-down list or to create one. The RADIUS profile records information of the RADIUS server including the IP address, port and so on. | | NAS ID | | Disconnected Requests | | Receiver Port | | Status | | Authentication Mode | | Portal Customization | | HTTPS Redirection | | Landing Page | The Original URL: Clients are directed to the URL they request for after they pass Portal authentication. The Promotional URL: Clients are directed to the specified URL here after they pass Portal authentication. | 3. If you choose Local Web Portal which is provided by the built-in portal server of the controller, customize the Portal page in the Portal Customization section, including the background picture, logo picture and so on. | Type | Edit Current Page: Edit the related parameters to customize the portal page based on the provided page. Import Customized Page: Click to import your unique Portal page for branding it as per your business. | | Default Language | | Background | Solid Color: Configure your desired background color by entering the hexadecimal HTML color code manually or through the color picker. Picture: Click and select a picture from your PC as the background. | | Logo | | Logo Picture | and select a picture from your PC as the logo. | | Logo Position | | Button Color | | Button Text Color | | Button Position | | Welcome Information | | Terms of Service | | Copyright | Click Advertisem*nt Options and customize advertisem*nt pictures on the authentication page. | Advertisem*nt | | Picture Resource | and select pictures from your PC as the advertisem*nt pictures. When several pictures are added, they will be played in a loop. | | Advertisem*nt Duration Time | | Picture Carousel Interval | | Allow Users To Skip Advertisem*nt | 4. (Optional) Configure access control rules including Pre-Authentication Access and Authentication-Free Policy if needed. Go to Settings > Authentication > Portal . On Access Control tab, click the checkbox to enable Pre-Authentication Access and Authentication-Free Policy. | Pre-Authentication Access | | Pre-Authentication Access List | to configure the IP range or URL which unauthenticated clients are allowed to access. | | Authentication-Free Policy | | Authentication-Free Client List | and enter the IP address or MAC address of Authentication-Free clients. | â? Configuring Portal with External Portal Server 1. Go to Settings > Authentication > Portal . On Portal tab, click to create new portal entry. Then click to enable Portal and load the following page. 2. Select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters including authentication type, custom portal server and so on. | SSID & Network | | Authentication Type | | Custom Portal Server | | HTTPS Redirection | | Landing Page | The Original URL: Clients are directed to the URL they request for after they pass Portal authentication. The Promotional URL: Clients are directed to the specified URL here after they pass Portal authentication. | 3. (Optional) Configure access control rules including Pre-Authentication Access and Authentication-Free Policy if needed. Go to Settings > Authentication > Portal . On Access Control tab, click the checkbox to enable Pre-Authentication Access and Authentication-Free Policy. | Pre-Authentication Access | | Pre-Authentication Access List | to configure the IP range or URL which unauthenticated clients are allowed to access. | | Authentication-Free Policy | | Authentication-Free Client List | and enter the IP address or MAC address of Authentication-Free clients. | â? Configuring Portal with Facebook 1. Go to Settings > Authentication > Portal . Click to enable Portal and load the following page. 2. Select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters. | SSID & Network | | Authentication Type | | Facebook Page Configuration: | to specify the Facebook Page. | | Facebook Checkin Location | | HTTPS Redirection | 3. In the Portal Customization section, customize the Portal page including the background picture, logo picture and so on. | Type | Edit Current Page: Edit the related parameters to customize the portal page based on the provided page. Import Customized Page: Click to import your unique Portal page for branding it as per your business. | | Default Language | | Background | Solid Color: Configure your desired background color by entering the hexadecimal HTML color code manually or through the color picker. Picture: Click and select a picture from your PC as the background. | | Logo | | Logo Picture | and select a picture from your PC as the logo. | | Logo Position | | Theme Color | | Button Text Color | | Button Position | | Welcome Information | | Terms of Service | | Copyright | Click Advertisem*nt Options and c ustomize advertisem*nt pictures on the authentication page. | Advertisem*nt | | Picture Resource | and select pictures from your PC as the advertisem*nt pictures. When several pictures are added, they will be played in a loop. | | Advertisem*nt Duration Time | | Picture Carousel Interval | | Allow Users To Skip Advertisem*nt | Click Advertisem*nt Options and c ustomize advertisem*nt pictures on the authentication page. | Advertisem*nt | | Picture Resource | and select pictures from your PC as the advertisem*nt pictures. When several pictures are added, they will be played in a loop. | | Advertisem*nt Duration Time | | Picture Carousel Interval | | Allow Users To Skip Advertisem*nt | 4. (Optional) Configure access control rules including Pre-Authentication Access and Authentication-Free Policy if needed. Go to Settings > Authentication > Portal . On Access Control tab, click the checkbox to enable Pre-Authentication Access and Authentication-Free Policy. | Pre-Authentication Access | | Pre-Authentication Access List | to configure the IP range or URL which unauthenticated clients are allowed to access. | | Authentication-Free Policy | | Authentication-Free Client List | and enter the IP address or MAC address of Authentication-Free clients. | 4. 9. 2 802.1X 802.1X provides port-based authentication service to restrict unauthorized clients from accessing to the network through publicly accessible switch ports. An 802.1X-enabled port allows only authentication messages and forbids normal traffic until the client passes the authentication. 802.1X authentication uses client-server model which contains three device roles: client/supplicant, authenticator and authentication server. This is described in the figure below: â? Client A client, usually a computer, is connected to the authenticator via a physical port. We recommend that you install TP-Link 802.1X authentication client software on the client hosts, enabling them to request 802.1X authentication to access the LAN. â? Authenticator An authenticator is usually a network device that supports 802.1X protocol. As the above figure shows, the switch is an authenticator. The authenticator acts as an intermediate proxy between the client and the authentication server. The authenticator requests user information from the client and sends it to the authentication server; also, the authenticator obtains responses from the authentication server and sends them to the client. The authenticator allows authenticated clients to access the LAN through the connected ports but denies the unauthenticated clients. â? Authentication Server The authentication server is usually the host running the RADIUS server program. It stores information of clients, confirms whether a client is legal and informs the authenticator whether a client is authenticated. Based on authenticated identity, 802.1X can also deliver customized services. For example, 802.1X and VLAN Assignment together make it possible to assign different authenticated users to different VLANs automatically. To complete the 802.1X configuration, follow these steps: 1 ) Click to enable 802.1X. 2 ) Select the RADIUS profile you have created and configure other parameters. 3 ) Select the ports on which 802.1X Authentication will take effect. | Enable 802.1X | | Configure RADIUS Profile and Parameters | | Select the Ports | Go to Settings > Authentication > 802.1X . Click to enable 802.1X. | Enable 802.1X | | Configure RADIUS Profile and Parameters | | Select the Ports | Select the RADIUS profile you have created. If no RADIUS profiles have been created, click from the drop-down list or to create one. The RADIUS profile records the information of the RADIUS server which acts as the authentication server during 802.1X authentication. | Authentication Protocol | PAP: The EAP packets are converted to other protocol (such as RADIUS) packets, and transmitted to the RADIUS server. EAP: The EAP packets are encapsulated in other protocol (such as RADIUS) packets, and transmitted to the authentication server. To use this authentication mechanism, the RADIUS server should support EAP attributes. | | Authentication Type | Port Based: After a client connected to the port gets authenticated successfully, other clients can access the network via the port without authentication. MAC Based: Clients connected to the port need to be authenticated individually. The RADIUS server distinguishes clients by their MAC addresses. | | VLAN Assignment | | MAB | | | Enable 802.1X | | Configure RADIUS Profile and Parameters | | Select the Ports | Select the ports to enable 802.1X authentication or MAB for them. To enable 802.1X authentication, click the unselected ports. 802.1X-enabled ports will be marked with . To enable MAB, click the ports marked with . You can enable MAB only on 802.1X-enabled ports. MAB-enabled ports will be marked with . Note: | â? You are not recommended to enable 802.1X authentication on the switch ports which connects to network devices without 802.1X capability like the router and APs. â? The switch authenticates wired clients which connect to the port with 802.1X enabled. And the gateway authenticates wired clients which connect to the network with Portal configured. Wired clients should pass Portal and 802.1X authentication to access the internet when both are configured. | 4. 9. 3 MAC-Based Authentication Overview MAC-Based Authentication allows or disallows clients access to wireless networks based on the MAC addresses of the clients. In this authentication method, the controller takes wireless clientsâ?MAC addresses as their usernames and passwords for authentication. The RADIUS server authenticates the MAC addresses against its database which stores the allowed MAC addresses. Clients can access the wireless networks configured with MAC-based authentication after passing authentication successfully. Note: | Both MAC-Based Authentication and Portal authentication can authenticate wireless clients. If both are configured on a wireless network, a wireless client needs to pass MAC-Based Authentication first and then Portal authentication for internet access. You can enable MAC-Based Authentication Fallback to allow clients bypass MAC-Based Authentication, which means the client needs to pass either of the two authentication. The client tries MAC-Based Authentication first, and is allowed to try portal authentication if it failed the MAC-Based Authentication. | 1. Go to Settings > Authentication > MAC-Based Authentication . Click to enable MAC-Based Authentication. 2. In the Basic Info, select the SSIDs, RADIUS Profile and other required parameters. Refer to the following table to configure the required parameters and click Save . | SSID | | RADIUS Profile | from the drop-down list or to create one. The RADIUS profile records the information of the RADIUS server which acts as the authentication server during MAC-Based Authentication. | | MAC-Based Authentication Fallback | | MAC Address Format | | Empty Password | 4. 9. 4 RADIUS Profile Overview RADIUS (Remote Authentication Dial In User Service) is a client/server protocol that provides for the AAA (Authentication, Authorization, and Accounting) needs in modern IT environments. In authentication services including 802.1X, Portal and MAC-Based Authentication, Omada devices operate as clients of RADIUS to pass user information to designated RADIUS servers. A RADIUS server maintains a database which stores the identity information of legal users. It authenticates users against the database when the users are requesting to access the network, and provides authorization and accounting services for them. A RADIUS profile records your custom settings of a RADIUS server. After creating a RADIUS profile, you can apply it to multiple authentication policies like Portal and 802.1X, saving you from repeatedly entering the same information. 1. Go to Settings > Authentication > RADIUS Profile . Click to load the following page. 2. Enter the information of the RADIUS servers. Refer to the following table to configure the required parameters and click Save . | Name | | VLAN Assignment | Note: 1. VLAN Assignment is not currently supported when a client is authenticated by Portal with External RADIUS Server or RADIUS Hotspot. 2. VLAN Assignment is applicable only when the device supports the feature. To make this feature work properly, it is recommended to upgrade your devices to the latest firmware version. | | Authentication Server IP | | Authentication Port | | Authentication Password | | RADIUS Accounting | | Interim Update | | Interim Update Interval | | Accounting Server IP | | Accounting Port | | Accounting Password | 4. 10 Services Services provide convenient network services and facilitate network management. You can configure servers or terminals in DDNS, SNMP, UPnP, and SSH, schedule the devices in Reboot Schedule and PoE Schedule, and export the running logs in Export Data. 4. 10. 1 Dynamic DNS WAN IP Address of your gateway can change periodically because your ISP typically employs DHCP among other techniques. This is where Dynamic DNS comes in. Dynamic DNS assigns a fixed domain name to the WAN port of your gateway, which facilitates remote users to access your local network through WAN Port. Letâs illustrate how Dynamic DNS works with the following figures. Go to Settings > Services > Dynamic DNS . Click + Create New Dynamic DNS Entry , to load the following page. Configure the parameters and click Create . | Service Provider | | Status | | Interface | | Username | Go To Register . | | Password | | Domain Name | | Update Interval | 4. 10. 2 SNMP SNMP (Simple Network Management Protocol) provides a convenient and flexible method for you to configure and monitor network devices. Once you set up SNMP for the devices, you can centrally manage them with an NMS (Network Management Station). The controller supports multiple SNMP versions including SNMPv1, SNMPv2c and SNMPv3. Note: | If you use an NMS to manage devices which are managed by the controller, you can only read but not write SNMP objects. | Go to Settings > Services > SNMP and configure the parameters. Then click Apply . | SNMPv1 & SNMPv2c | | Community String | | SNMPv3 | | Username | | Password | 4. 10. 3 UPnP UPnP (Universal Plug and Play) is essential for applications including multiplayer gaming, peer-to-peer connections, real-time communication (such as VoIP or telephone conference) and remote assistance, etc. With the help of UPnP, the traffic between the endpoints of these applications can freely pass the gateway, thus realizing seamless connections. Go to Settings > Services > UPnP . Enable UPnP globally and configure the parameters. Then click Apply . | Interface | | Networks | 4. 10. 4 SSH SSH (Secure Shell) provides a method for you to securely configure and monitor network devices via a command-line user interface on your SSH terminal. Note: | If you use an SSH terminal to manage devices which are managed by the controller, you can only get the User privilege. | Go to Settings > Services > SSH . Enable SSH Login globally and configure the parameters. Then click Apply . | SSH Server Port | | Layer 3 Accessibility | 4. 10. 5 Reboot Schedule Reboot Schedule can make your devices reboot periodically according to your needs. You can configure Reboot Schedule flexibly by creating multiple Reboot Schedule entries. 1. Go to Settings > Services > Reboot Schedule . Click + Create New Reboot Schedule to load the following page and configure the parameters. | Name | | Status | | Occurrence | | Devices List | 2. Click Create . The new Reboot Schedule entry is added to the table. You can click to edit the entry. You can click to delete the entry. 4. 10. 6 PoE Schedule PoE Schedule can make PoE devices which are connected to your PoE switches power on and work only in the specific time period as you desire. You can configure PoE Schedule flexibly by creating multiple PoE Schedule entries. 1. Go to Settings > Services > PoE Schedule . Click + Create New PoE Schedule to load the following page and configure the parameters. | Name | | Status | | Time Range | + Create New Time Range Entry from the drop down list of Time Range. For details, refer to Profiles . | | Devices List | 2. Click Create . The new PoE Schedule entry is added to the table. You can click to edit the entry. You can click to delete the entry. 4. 10. 7 Export Data You can export data to monitor or debug your devices. Go to Settings > Services > Export Data . Select the type of data from the export list and click Export . | Export List | Device List : Export the list of managed devices. Client List : Export the list of all clients that are connected to the networks. Insight-Rogue AP List : Export the list of the rogue APs scanned before. For detailed information, refer to 8. 4. 9 Rogue APs . Log List : Export the list of the logs generated by the controller. Authorized Client List : Export the list of authorized clients. Voucher Codes : Export the list of the voucher codes. Running Log : Export the day-to-day running log of the controller. | | Mode | All Columns : Export the data list that contains all columns. Current Display Columns : Export the data list that contains only the displayed columns currently. | | Format | < Previous Next > Feedback Thank you for your feedback. Sorry, something went wrong! | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Note: 
in the ACTION column to edit the LAN. You can click 
in the ACTION column to delete the LAN. 
in the Action column to assign the port profile to a single port, or select the desired ports and click 
to load the following page. 
to load the following page. 
to load the following page. 
to load the following page. 
to load the following page. 
to delete them. 
to load the following page. 
to load the following page. 
in the Action column to export the OpenVPN file that ends in .ovpn which is to be used by the remote client. The exported OpenVPN file contains the certificate and configuration information. 
.png "Omada SDN Controller User Guide (137)")
to delete them. 
to delete them. 
to allow it to override the curent MAC Access Control List. 
to create new Portal entry. 
to enable Portal, select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters including authentication type, authentication timeout and so on. 
to import your unique Portal page for branding it as per your business. 
and select a picture from your PC as the background. 
to create new portal entry. Then click 
to enable Portal and load the following page. 
to create one. The RADIUS profile records the information of the RADIUS server which provides a method for storing the authentication information centrally. 
to enable Portal and load the following page. 
to create one. The RADIUS profile records information of the RADIUS server including the IP address, port and so on. 
to import your unique Portal page for branding it as per your business. 
and select a picture from your PC as the background. 
to create new portal entry. Then click 
and select a picture from your PC as the background. 
to enable 802.1X. 
from the drop-down list or 
to create one. The RADIUS profile records the information of the RADIUS server which acts as the authentication server during 802.1X authentication. 
. To enable MAB, click the ports marked with 
. You can enable MAB only on 802.1X-enabled ports. MAB-enabled ports will be marked with 
. 
to enable MAC-Based Authentication. 
to create one. The RADIUS profile records the information of the RADIUS server which acts as the authentication server during MAC-Based Authentication. 
to load the following page. 
