Securing 802.1x

  • Hi!

    I just setup 802.1x auth via FreeRadius in pfSense and was able to authenticate to the network.  This is great and exactly what I want to do, but what prevents somebody from unplugging the port from the switch for the pfSense LAN and jumping on the network without authenticating?

    • Can you only require authentication?
    • How can you require authentication on the pfSense port?  Do you just create a user for that pfSense instance and authenticate pfSense to itself?
    • Do you have to put the switch in a lockbox to prevent this from happening?


  • You can lock a switch port to a particular MAC address, but that only goes so far. There are numerous devices in any network that can't support 802.1X (most printers, copiers, scanners, etc.) where that's the best you can do. Physical security of the switch is always important, otherwise nothing would keep someone from getting a console into it/resetting to defaults and putting whatever config they want on it.

  • I am using freeradius2 for dynamic VLAN assignment for all of my printers and computers.

    But it is important that noone has access to the switch and the switch is able to assign a VLAN to a port when somebody plugin the ethernet cable of his PC. Then the user needs to enter a username/password, certificate to get access and to get into his VLAN. If the credentials are wrong the switch puts the PC into a so called "guest VLAN". For this VLAN I blocked all traffic on the pfsense firewall.

    Many switches do have a separate "management" VLAN which is not accessable from other VLANs - but this still only hepls if your switch is not accessable by anybody but yourself.

  • I was afraid that I might have to physically secure the switch.  I know it's not pfSense's fault, but it is annoying that you have to do it.  Ideally, it would be nice to require authentication on the LAN connection so that any joe can't directly plug into the pfSense box and get an IP.  Here's a little background on what I'm doing..

    I work in an open office environment with cubicles.  I have a pfSense box setup down here in an unsecured area that is attached to a switch that supports 802.1x.  I locked the console of the pfSense machine, and everything else is secured, except for this little loophole of the LAN wire coming out of pfSense.  If I could require authentication on that wire and deny everything else, I think this would solve my problem.

    I suppose another solution is kind of along the lines of what Nachtfalke mentioned.  I guess I could have a mangement VLAN to the switch for the authentication and assign another VLAN for general traffic.  The management VLAN would be a nonroutable address other than what I'm using and the real VLAN would require authentication.  Hmmmm…...  This might work.  I'm working on about three different projects at the same time and my brain is about dead.

    Thanks, and I'll post my results!

  • If you are running a VLAN switch behind pfsense then the NIC on pfsense must use TAGGED frames. Probably most NICs in notebooks and workstations can do that but by default they do not understand it. And they need to know WHAT VLAN ID you really use. If they do a packet capture they will find it out but it is some more difficulty. So if someone is unplugging the cable between switch and pfsense he will not get a connection "out fo the box".

    And the switch can be secured, too, console and GUI.

  • Thanks all for the responses.

    Well, my little test thismorning failed.  :(  I thought I could setup another VLAN (management one) on pfsense and authenticate everything over that management vlan.  That didn't work as expected.  It seems like when I set the ports to authenticate, I forgot that the switch needs to talk to the pfsense box, and well, i locked myself out.

    I suppose I can tag the vlan's and as Nachtfalke said, it would make it more difficult to jump on net.  It would probably keep 99% of the riff-raff out, even if we have any around here.  It's frustrating because it seems like there's just one little piece to make 8021x great, and that little piece is missing.

  • what about setting up a captive portal on pfsense ?
    captive-portal connected to freeradius. if they use their username/password on the switch or on CP. Would that make any difference ? CP is always active on pfsense NIC.

    If you enable CP + 802.1X then you must add a pass-through for the switch on CP so that the switch cans end access-requests through CP to freeradius.

Log in to reply