Wireless AP, WPA2-Enterprise and pfSense

  • Sorry, I'm feeling really stupid ATM because normally I don't need to ask for assistance, but I suspect that I'm approaching this wrong, and need clarification as to whether I need to start setting up a VLAN and/or Captive Portal…

    A brief picture of my setup would be:

    PfSense em1 -> wan, em0 -> lan...  I do have a spare interface in the system (em2) that was in use when I used to do load balancing over 2 VDSL connections, but I have moved since, and did a full factory reset/reinstall of the PfSense software so there is no chance of the load balancing config interfering.  I also have an OpenVPN server running (so that I can access LAN resources whilst out and about) and an OpenVPN client so that I can route geo-blocked traffic.  This all works fine

    PfSense is currently configured to deny unknown DHCP clients, and I have static mappings for every device

    LAN is connected to a Cisco SG300-24 managed switch
    Port 16 of my switch contains a UniFi UAP-ACv2 Wireless Access Point

    Now, what I'm trying to achieve is that I wanted to stop using WPA2-PSK, and move over to WPA2-Enterprise using the FreeRADIUS package on PfSense.  As part of this however, I would like it so that my own devices are authenticated via their MAC address and therefore I shouldn't need to input any usernames/passwords on the Wireless clients.

    My setup at the moment compared to the non-RADIUS setup was to install the FreeRADIUS package, use the UniFi controller to configure the AP to send the requests to RADIUS server, configured the FreeRADIUS interfaces, and defined one NAS / Client..

    If I add a username/password under FreeRADIUS users, I can enter that in the Wireless Client and it will let me connect....  but that's what I'm trying to avoid....

    Would be grateful if somebody could please enlighten me on how I should be implementing this......  do I need a VLAN for the wireless?  do I need to install Captive Portal as part of this?  the answer to these two questions would be a great start for me so I would at least know if the answer to the above is "YES" then that's probaby why I can't get it working!

    Many thanks in advance

  • LAYER 8 Global Moderator

    So you want to just auth with mac and no anything get on the wifi at all?

    Why do you need freerad for this?  Why not just create open network with mac access list?  Keep in mind that mac addresses are easy to spoof..

    Are you wanting to have more than 1 SSID and place clients on specific vlan based on their mac?  What you have stated

    "my own devices are authenticated via their MAC address and therefore I shouldn't need to input any usernames/passwords on the Wireless clients."

    This is simple open network with mac access list..  Maybe not understanding exactly what your trying to do?  Your wanting to put in something to associate to the wifi, but then you want to just have client authenticated via freerad via mac.. So use of the new MAB stuff they put in on the unifi controller, etc.  And how pfsense freerad 3 supports the MAB as well.

  • Yikes no!

    My main goal was to stop using WPA2-PSK, and move over to WPA2-Enterprise to increase my security, not decrease it!

    I think I see what you're saying though, I'm actually not thinking straight.  /me slaps himself on head multiple times.

    With WPA2-PSK, I had to specify a shared key that everyone that uses the wifi has to know.  With WPA2-Enterprise there still has to be some sort of "secret" that the client knows.  I just read something on serverfault about using certificates for authentication.  That sounds more feasible, as then the device has the certificate which will do the authentication…....

    My end goal is to be as secure as possible using what is available to me.  In terms of the VLAN thing, I need to sit down and have another proper think about that, as I'm not sure if I even need to be thinking about it, certainly not at this stage until I've done this first step  :)

  • LAYER 8 Global Moderator

    Yes enterprise supports multiple EAP methods.  I use TLS for example - this requires client to have a CERT issued by CA..  You can then for sure assign a vlan based upon the user that auths via whatever EAP method you want to use..

    The problem with enterprise is most iot type devices not going to support this method of auth.. Now unifi is working on MAB where your device mac could be used to place in a vlan and even used to auth when they getting working.

    I was just playing with it this morning with latest controller 5.6.18, and its not working how it really needs to work for iot devices.  Where you have a wpa-psk network that is used, and and then it asks your rad server for what vlan it should be assigned based upon its mac..

    So while yes you can use enterprise to assign vlans and use a stronger auth method than just psk "password" you can pick the EAP type you want here.  I use tls - so my clients like iphone, ipad, laptops have certs they use to auth.  This is the only way to get on this wifi network.. This is assigned to specific vlan.  I then have other wpa-psk networks that my other iot devices connect to.  Currently those are assigned to different vlans than my tls wifi network.  And then there is guest network that is psk as well that is yet another vlan.

    Their are then firewall rules between these vlans that only allow the traffic I want to allow between them or none at all, etc.

    This is what your looking to do I take it.. If your devices support wpa-enterprise then your good to go..  As far as devices that do not, like nest or game consoles, or firesticks or roku sticks, etc. etc.. pretty much every commerical device that can use wifi.  None of them seem to support wpa-enterprise.  Until can assign the vlan via mac to username sort of thing that hopefully will be working here sometime soon with unifi.  The current only method to assign these sorts of devices to different vlans is create a different SSID, and than assign that ssid to be on a specific vlan.

    Hope that helps!

  • That is ABSOLUTELY magic!

    Big thank you.  Can't believe how much of a FUBAR I was making before; I think it's the old age finally kicking in - you do the stupidest of things unless you leave it for a week then come back to it or ask someone else :)

    And PS thanks for the great idea about the non EAP-compliant devices.  That's not difficult at all - I did have a quick look on the UniFi controller, and my DHCP static lease table, and I don't think there's many devices out there that would need non-EAP.  Possibly my old Wii - but seriously, I don't think that matters since Nintendo shut down all the online services ages ago….

    Right, let's see if I can start getting this done the RIGHT way now lol....

    Big thanks again :)

  • LAYER 8 Global Moderator

    "I don't think there's many devices out there that would need non-EAP"

    Really?  So you only have user devices like tablets and phones?  No printers that are wifi?  I have nest, nest protect, harmonyhub, 2 roku sticks, 2 alexa's, 2 light bulbs, 2 smart switches.. Pretty much all the stuff used to make a home smart these days - isn't up to snuff when it comes to wifi.. All they support is psk..

    With more likely more to come.. I can see using a few more of the smart light bulbs in some areas of the house vs putting in the switches in the wall.  And most likely couple more of the smart switches for controlling the stuff that plugs in to wall sockets that are not controlled by switch on the wall.  I am replacing all the light switches on the wall with caseta wireless.. But there are many things it just makes sense to put a simple wifi bulb into your lamp and that just runs on your normal wifi network.  Same with the switches you can buy to control stuff you plug in - my xmas lights, tree lights for example.  I have like 14 things on wifi that do not support enterprise..

Log in to reply