Meanwhile, I've found a solution to mimic user behavior and get the data via HTTP. It works, a bit hacky.

PS: the device stores the password as MD5 value (you can see that the js script to send the form computes the value before sending it to a page to be validated). If you don't get it why I've pointed out this, Google will help you.

the line i'm refering to is this one

$("input#login-password").textbox("setValue", md5($("input#login-password").textbox("getValue")).toUpperCase());  

so, this piece of python code does what is needed to get the JSON object with the list of clients (install requests - $ pip install requests).

import requests, time
s = requests.Session()
# get the cookie from the login page, it's the session_id
r = s.get('http://tplinkeap.net')
c=r.cookies['COOKIE']
cookies = dict(COOKIE=c)
headers = {'Content-Type': 'application/x-www-form-urlencoded','Referer': 'http://tplinkeap.net/'}
time.sleep(1)
# do the login, it validates the session
s.post('http://tplinkeap.net',data={'username':'admin', 'password':'THE_MD5_OF_YOUR_PASSWORD'},cookies=cookies, headers=headers)
time.sleep(1)
#call the json 
rdata=s.get('http://tplinkeap.net/data/monitor.client.client.json?operation=load',cookies=cookies,headers=headers)
rdata.json()

a bit of explanation. It took me an hour to get to know how the system handles the auth of a user, to my understanding it generates a sessionId that is sent to the page in a cookie with the name COOKIE. when you do the login it basically validates the session, so if password/user matches, the COOKIE (the session then) is valid to perform any actions on the website. It seems that there can be just 1 session at a time on the web app. The rest of the calls just need to be executed with the cookie and a header Referer that the backend checks.