How to enable 802.1x on wired lan interface?

tiagosmx · Feb 13, 2020, 6:29 AM

Hello gods of networks,

how make clients willing to connect to the pfSense LAN wired interfaces network be forced to provide authentication (PEAP login/password or EAP SSL client certificate) before attempting connection?

Is this possible?
I'v seen some people talking about using 802.1x enabled layer 3 switches, but I got a feeling that there is a way doing it with pure pfSense way.

JKnott · Feb 13, 2020, 11:42 AM

@tiagosmx

If they're connecting directly to the LAN, pfSense has no involvement at all, beyond DHCP. Typically, a domain controller is used to allow access to the various resources.

johnpoz · Feb 13, 2020, 1:37 PM

The freerad package can be used to provide your auth, but you still need a switch that can do 802.1x

What switch do you have?

jimp · Feb 13, 2020, 1:21 PM

You enable it in your L2 (the switch / AP)

tiagosmx · Feb 13, 2020, 1:37 PM

@johnpoz only a simple Layer 2 switch, and probably not manageable/configurable.
I have installed freeradius and successfully configured 802.1x for WLAN access with WPA Enterprise, but now I want to achieve the same in a wired configuration.

Is a layer 3 switch with 802.1x really a must?
Can't that be achieved with just pfSense?

jimp · Feb 13, 2020, 1:38 PM

It has to be done at L2, it is too late to accomplish something like that once they have an L3 address. At that point your only option is Captive Portal, not 802.1x

You don't need a "layer 3 switch", just a managed switch which supports 802.1x.

johnpoz · Feb 13, 2020, 1:51 PM

As stated you need to do this at layer 2, so you do not need a L3 capable switch - but more than likely the entry level "smart" switches that you can get for like $40 will not support this.. You will need something with a few more features then the entry level ones.

So for example the dlink dgs-1100, does not seem to support 802.1x, the dgs-1210 does..

The 8 port gig 1100 on amazon is like $40, while the 1210 is more like 100.. And it also has 2 sfp ports along with the 8 gig ports.

When you want to start doing enterprise level stuff, the soho stuff doesn't really cut it any more ;)

tiagosmx · Feb 19, 2020, 4:28 AM

@johnpoz @jimp that's exactly what I was missing, thank you for pointing that out.

Lesson n.1: There are different types of layer 2 switches (managed and unmanaged), some of them support 802.1x protocol and some of them not.

Lesson n.2: The 802.1x authentication is done at the layer 2, before the IPs are handled to the devices. When packets reach the layer 3 is too late to do any kind of 802.1x authentication as the devices were already authorized to enter the network.

Cheers!