Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IoT Devices on WPA2 Enterprise network

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by A Former User

      Want to be sure I'm not missing something. If I am I would be super happy to learn.

      There is no setup that makes any sense that would allow devices like printers, Sonos speakers or kindles to connect to an enterprise network.

      Put another way, any setup that would allow a device to connect to any network based only on MAC address is a very bad idea.

      In case it matters I have Unifi APs (4 nanoHD), Cloud Key and Cisco small business switch (SG-220-50p) using FreeRadius on pfsense 2.4.5-p1. Unifi offers something called "Radius MAC Authentication", not sure exactly how that feature works in practice. I couldn't get normal EAP-TLS to work with it tuned on.

      As an aside, Unifi makes this a bit of a pain. You can not use any vlan that is associated with a wpa personal network for dynamic (Radius) vlan assignment on a wpa enetrprise network. I spent way to long wondering why I couldn't assign my 'home' vlan dynamically on an enterprise network. I thought for sure I had configured something wrong. A quick search on the Ubiquiti forum set me straight. <facepalm>

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @A Former User
        last edited by johnpoz

        @jwj

        I played with this for a while.. Quite some time ago, as I was thinking of dynamically assigning devices to vlans based on mac as well. Or their radius normal login.. In the hope to get down to 1 single ssid. And then just assigning either by your login or your mac etc. Guest would get thrown into the guest vlan, my iot devices would get put into the appropriate vlans, etc.

        But since these iot devices have not support for enterprise login, you still have to have 2 different ssids, one where you use enterprise, and another where you don't for devices that don't support it.

        So while I did get the dynamic assignment to work with psk ssid.. It just easier to just leave my ssid for the different vlans in place..

        I use eap-tls for my trusted devices, phones, laptops, tablets, etc. While iot devices join the respective vlan based upon which ssid they use. And there is a guest vlan as well for friends and family that come over..

        On a side note, since users are really lazy - and would never want to type in my very complex psks.. I printed up some cards with qr codes they can scan on their phones ;)

        In a perfect world these iot devices would support enterprise auth.. But I don't see that happening any time soon..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        ? 1 Reply Last reply Reply Quote 0
        • ?
          A Former User @johnpoz
          last edited by

          @johnpoz Thanks John!

          I'll have to think through if I want to continue with the WPA2 Enterprise for what would be marginal improvements. One ssid and all of the logging sure seemed great. Oh well...

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @A Former User
            last edited by

            @jwj

            I don't think the Unifi kit support 802.1x and any form of WPA on the same network segment even if the SSID is different.

            I'm with @johnpoz on the guest WiFi and QR codes.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.