Mac-based Vlan Authetification
-
Hey Guys,
Is in pfsense an Option where i can define my mac-adress to an specific vlan, the plan is that when i plug a device in, the pfsense checks if he know it, if it it should move it in the right Vlan, if it is an unknown device it should stay in vlan 1 (public-vlan) for example.
I read many ways to do it on the switch-side, but i had around 15 switches in a Hotel and amusement park and if we add a Device i dont want to edit the config on all switches.
Hope you can help me Guys
Thank a lot
Dominik -
@dominikmorawietz Yes and no. If you are talking about built in switchports on the pfsense device itself, then there is no way to do that.
But i you have VLAN capable switches downstream (like your 15 switches), you can configure all VLANs in them and transport them to pfSense like you probably already have. You can then install the “Freeradius” package on pfSense and create all the known Macaddress as clients and return their VLAN number via Radius to the switch. The trick is then to create a “defaul” Macaddress user that is accepted regardless of the Macaddress and returns VLAN 1 for that user.You then need to enable Mac-auth (Mac address authentication) in the switches using Freeradius as the Radius server (authentication server). Works like a charm - I use it in several setups.
-
That sounds like something that was available on Cisco routers, but not Adtran (speaking from experience) where the MAC could be used to assign a VLAN & DHCP server. Is this what you have in mind?
-
@dominikmorawietz Sounds like you want SDA or something with similar functionality. I don't think the functionality you're looking for is done at the firewall level. You'll likely need to implement something internally before it hits the firewall.