TP Link Omada ControllerThis article describes the installation and configuration steps for TP-Link Omada Cloud-Based Controller.
You will need Omada Controller v5.3.1 or above in order to proceed. Our test was performed with Omada Cloud controller v5.9.41.
Connecting
Connecting
Login to Omada Controller.
Go to the Authentication / Portal page.
Configure as follows:
Authentication Type – External RADIUS Server
Authentication Timeout – 8 hours
NAS ID – TP-Link
Authentication Mode – PAP
Portal Customization – External Web Portal – wifihotspot.io/login/omada
Landing Page – The Original URL
To configure the RADIUS server go to the Authentication / RADIUS Profile page and configure with:
Name – starthotspot-radius (or whatever you wish)
VLAN Assignment – Disabled
Authentication Server IP – 13.92.228.228
Authentication Port – 1812
Authentication Password – (contact our office)
Radius Accounting – Enabled
Accounting Server IP– 13.92.228.228
Accounting Port – 1813
Go to Authentication / Profile / Access Control, enable Pre-Authentication Access, and add the following domains:
wifihotspot.io
cdn.wifihotspot.io
starthotspot.com
cdnhotspot.azureedge.net
cdn.starthotspot.com
t-msedge.net
static.cloudflareinsights.com
13.92.228.228
109.245.64.94
40.117.190.72
40.121.151.4
Apply changes.
Certificate endpoints
Certificate endpoints
If your WiFi Hotspot certificate is issued by Sectigo (or a similar CA), add the CA’s OCSP/CRL hosts so devices can verify certificates even before login.
For Sectigo, for example:
ocsp.sectigo.com
ocsp.usertrust.com
ocsp.comodoca.com
crl.sectigo.com
crl.usertrust.com
crl.comodoca.com
Apple & DigiCert validation endpoints
Apple devices also contact their own endpoints for certificate checks and captive-portal detection. It helps to allow these:
certs.apple.com
crl.apple.com
ocsp.apple.com
ocsp2.apple.com
valid.apple.com
Common DigiCert endpoints
Apple often uses DigiCert.
Again, allow at least TCP 80 and 443.
crl3.digicert.com
crl4.digicert.com
ocsp.digicert.com
As Cloudflare may inject its own script, please whitelist:
static.cloudflareinsights.com
Very important: what NOT to whitelist
Do not add Apple’s captive-portal test domain to the walled garden:
captive.apple.com
If captive.apple.com is reachable without redirection, iPhone/iPad will think it already has full internet and will not open the captive portal popup.
So:
captive.apple.com must not be in the pre-auth / walled-garden list.
It should be intercepted and redirected to the WiFi Hotspot portal (https://wifihotspot.io/).
Optional: HTTPS redirect behaviour
If your gateway/Omada has a setting like “Redirect HTTPS to portal”, and you still see unstable behaviour on iOS:
Disable global HTTPS redirection on the gateway.
Let Omada intercept only HTTP (port 80) and redirect that to the portal.
The WiFi Hotspot portal can then internally redirect from HTTP to HTTPS (301/302).
iOS usually works best when captive-portal detection starts over plain HTTP and then moves to HTTPS.
Test checklist (for admins)
On an iPhone/iPad, forget the WiFi network, then reconnect.
Verify that a pop-up window appears showing the WiFi Hotspot portal (wifihotspot.io).
If it doesn’t:
Confirm that https://wifihotspot.io/ opens and the certificate is valid.
Confirm that captive.apple.com is not in the walled garden and is being redirected.
If you want to change default Omada Controller SSL and implement your own domain, you need to modify Login URL in the WiFi Hotspot / WiFi Location Advanced page as: https://domain:port”
———————————————————————
In case you get 500 Internal Server error, please check if there is an option to configure which parameters are being sent in the redirect, and their names.
We should recive:
target=192.168.1.79
targetPort=8843
clientMac=99-F9-D3-1F-78-XX
clientIp=192.168.1.93
apMac=99-99-99-00-XX-99
gatewayMac=
scheme=https
ssidName=*Guest+Omada+5
vid=
radioId=0
originUrl=http%3A%2F%2Fwww.gstatic.com%2Fgenerate_204
hostname=192.168.1.79