Radius with MAC filtering
So I got bored.. so it was time to play with something I've never done or seen in production before- RADIUS. I'm very green with RADIUS. I know that it handles the authentication and security, but I'm not privvy to the technical details behind the scenes.
So I installed the FreeRadius2 package without a hitch on my pfsense box running 2.1.2.
So I figured I'd duplicate a simple guide just to prove functionality and then begin changing things to connect the dots in my head. So I used the guide at https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#First_Configuration that is functional enough for me to learn from. No problem! Learning is coming along nicely.
But, this is where things get complex. My pfsense box is a simple home set.. one WAN and one LAN port. The LAN port connects to my 24 port switch that runs to the house. I've got a Ubiquiti Picostation setup at the house that just connects to one port. Clearly a fairly simple arrangement. But it appears that the Picostation supports RADIUS MAC authentication only.
Now I know that your standard MAC filter, while some people call it security, it's nothing but a slight inconvenience to someone actually wanting access to a wireless network. So when I think about RADIUS MAC authentication I immediately think its not as secure as it sounds. Is this true? If it can be made secure, how do I actually do that? Do I setup a captive portal?
I have a Nest device in my home(https://nest.com/), and those don't support RADIUS according to some quick Googling. So if I wanted to go with a RADIUS server I'd have to go with a dual wifi setup in the house (one for devices that don't support RADIUS and one for devices that do). Obviously not a realistic setup for a home.
I'm more interested in the theory than the actual application right now, although I do plan to set it up temporarily just for the experience of having it setup. I'm just wanting to better understand the relationships between how RADIUS works and how secure it can be(as well as how insecure it can be if improperly setup).
I couldn't figure out if this should go in the "Wireless" or "Packages" section of the forum. Since many of the Wireless questions revolve around hardware I found this to be more appropriate section. If I'm wrong feel free to move the thread.
't Works ;D
Although it took me quite some learning, as I am an economist and not a technical guy :-[
I too have a Ubiquity access point which supports Radius. So basically this is it:
1. I have laptop and smartphones which connect wireless.
2. I created a special VLAN for wireless only.
3. pfSense cert manager has created certificates (so: not passwords).
4. The certificates are installed in the laptop (wifi connection) and in the smartphones (android).
5. After setting up Radius to use these certificates:
5.a. The smartphone connects to the Ubiquity, which has been told to use Radius, and the address of the Radius-server.
5.b. The Ubiquity forwards the connection request via the switch to the pfSense where Radius resides.
5.c. Somewhere/somehow the client certificate (how this works is not quite clear to me, but it works) of the smartphone is offered to the pfSense radius server to indentify the smartphone. The other way around the server identifies itself to the smartphone with it's server certificate (to avoid MitM-attacks).
5.d. If this authentification is approved the Radius server tells the Ubiquity to allow access for the smartphone.
5.e. The DHCP-server on the VLAN then issues an IP and the firewall assures the smartphone can only go to the internets, and not to the LAN.
't Works ;D
I hope this helps :P