This Article Applies to:
TL-SG2008P , TL-SG3452X , SG3452XMPP , TL-SG2218P , TL-SG2424P , TL-SG3452XP , TL-SG2016P , SG3428XPP-M2 , SG3428XMPP , TL-SG2210P( V3.20 V3.26 V4 V5 V5.6 ) , SG2210MP , TL-SX3008F , TL-SL2428P( V4 V4.20 V4.26 V5 V6 V6.6 ) , TL-SX3016F , SG2218 , SG3428 , TL-SG3452P , TL-SG3428X , SG3218XP-M2 , SL2428P( V4 V4.20 V4.26 V5 V6 V6.6 ) , TL-SG3428X-M2 , SG3210X-M2 , TL-SG3428XF , TL-SG2210MP , SG3428X-M2 , SG3452 , SG3210( V3 V3.6 ) , TL-SG3428XPP-M2 , SG3452X , SG3210XHP-M2 , TL-SG3210XHP-M2 , SG2008( V3 V3.6 V4 V4.6 ) , TL-SG2428P , SG3428XF , SG2005P-PD , SX3008F , SG3428MP , SG3428X , SG3452P , SX3016F , TL-SG3428X-UPS , SX6632YF , SG2218P , SG2428P , SG2008P , SG3452XP , TL-SG3210X-M2 , TL-SG3428 , TL-SG2218 , SG2210P( V3.20 V3.26 V4 V5 V5.6 ) , SG2016P , TL-SG3428MP , TL-SG2008( V3 V3.6 V4 V4.6 ) , TL-SG3218XP-M2 , TL-SG3452 , TL-SG3210( V3 V3.6 ) , TL-SX3206HPP , SG3428XMP , TL-SG3428XMP , SX3206HPP
Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device and check either the Datasheet or the firmware section for the latest improvements added to your product.
If you encounter the issue of devices unable to authenticate successfully after configuring the 802.1X feature on the Omada Switch, you can follow the troubleshooting steps below to resolve the problem.
Troubleshooting Steps
Step 1. Check the Dot 1X authentication global configuration.
Using the GUI:
Go to SECURITY > 802.1X > Global Config, where you can see that the 802.1X function has been enabled.
For the authentication protocol, the Omada Switch supports both EAP and PAP protocols. The main difference between the EAP and PAP protocols lies in the generation and transmission of the encryption key for the user's password information.
In the EAP protocol, the random encryption key used to encrypt the user's password information is generated by the Radius server, and the switch is only responsible for transparently transmitting the EAP packets to the authentication server. The entire authentication process is completed by the authentication server. Using the EAP protocol requires the Radius server to support it.
In the PAP protocol, the random encryption key used to encrypt the user's password information is generated by the device itself, and the switch sends the username, random encryption key, and encrypted password information to the Radius server for the relevant authentication processing. The existing Radius servers generally support the PAP protocol.
It can be seen that the EAP protocol places less pressure on the switch but more on the authentication server, while the PAP protocol is just the opposite. You can choose the appropriate protocol based on your own situation.
Note: If the client device does not use the TP-Link client software, the Handshake option needs to be disabled.
Using the Controller:
Go to Settings > Authentication > 802.1X, where you can see that the 802.1X function has been enabled and the EAP protocol has been selected.
Using the CLI: Switch# show dot1x global
Step 2. Check the Dot 1X authentication port configuration.
Using the GUI:
Go to SECURITY > 802.1X > Port Config and check whether 802.1X is enabled on the releative port and whether Port Control is set to Auto.
For user devices that do not support 802.1X function, the corresponding ports need to enable both the 802.1X and MAB functions. Most printers, IP phones, and fax machines do not support 802.1X function. After enabling the MAB function, the switch will send the RADIUS access request to the Radius Server using the user device's MAC address as the username and password.
Using the Controller:
Go to Settings > Authentication > 802.1X, where you can see the switches that have 802.1X enabled and the ports that have been enabled. In the Controller mode, the Port Control is set to Auto by default.
Using the CLI: Switch#show dot1x interface
Step 3. Check the network connectivity.
Make sure the network link between the switch and the Radius Server is normal, and also ensure that the authentication port (usually 1812, but there are exceptions) used by the Radius Server is enabled.
Step 4. Check the Radius Server configuration.
Using the GUI:
Go to SECURITY > AAA > RADIUS Config and check whether the Radius Server’s IP address, Shared Key, and authentication port are configured correctly.
Using the Controller:
Go to Settings > Profiles > RADIUS Profile to check the information.
Using the CLI: Switch#show radius-server
Step 5. Check the Server Group configuration.
Using the GUI:
Go to SECURITY > AAA > Server Group, and check if the correspondence between the Radius Server Group and the Server IP is configured correctly. By default, the radius Server Group will include the IP addresses of all Radius Servers.
Using the Controller: Skip this step in Controller mode.
Using the CLI: Switch#show aaa group radius
Step 6. Check the Radius Server Group selected for 802.1X.
Using the GUI:
Go to SECURITY > AAA > Dot 1X Config and check whether the Radius Server Group configured in the previous step is selected, which is usually the default.
Using the Controller:
Go to Settings > Authentication >802.1X, where you can see the RADIUS Profile selected is the one you saw in Step 4.
Using the CLI: Switch#show aaa authentication
Step 7. Check if ACL, IMPB, MAC Filtering, or other security policies are configured.
Step 8. Check the client software.
Make sure the client software is not damaged and the client software version supports the current authentication method.
If the above troubleshooting steps still cannot solve the problem, you can try to replace the client software.
Is this faq useful?
Your feedback helps improve this site.
What’s your concern with this article?
- Dissatisfied with product
- Too Complicated
- Confusing Title
- Does not apply to me
- Too Vague
- Other
We'd love to get your feedback, please let us know how we can improve this content.
Thank you
We appreciate your feedback.
Click here to contact TP-Link technical support.
