Access control at the network level

G.D. Wusser Esq. · May 27, 2014, 5:45 PM

What options do pfSense and packages offer to prevent unauthorized computers plugged into the wired network from attaching to LAN?

I am not talking about Internet access; I am talking about the network layer of protection (in addition to the application level passwords and policies) for the LAN resources, including database servers, file servers, etc.

Has anybody implemented this and can recommend a good way to do it?

It seems like there are a few ways to go:

• 802.1X port-based authentication
Is this something freeradius/ freeradius2 packages support?

• PPPoE
Have LAN clients authenticate with PPPoE server running on pfSense.

• MAC whitelisting
I think I am going to skip this option, as MAC addresses are easy to spoof.

Anything else?

Thank you

jimp · May 27, 2014, 5:52 PM

That primarily up to your switches. Anything else can be spoofed.

802.11x is good, PPPoE or OpenVPN might be OK, but cumbersome. MAC Whitelisting isn't bad if you do it at the switch port level (e.g. port X can only have MAC yy:yy:yy:yy:yyyy) if possible.

Static ARP is similar, but if the user knows a valid MAC:IP combination that can be spoofed as well.

If you distrust your users that much, get a better switch that also supports a "Private VLAN" mechanism where each port is isolated from all other ports and can only communicate with the upstream port (e.g. the firewall), that combined with a proper authentication mechanism should be safe enough.

G.D. Wusser Esq. · May 27, 2014, 6:39 PM

Thank you for your reply.

For the purposes of this discussion let us assume pfSense is my switch.

Which package should I try for wired authentication?

jimp · May 27, 2014, 6:43 PM

There are none for wired network auth. You need a switch that does 802.11x.

That, or a VPN type (PPPoE, OpenVPN) for clients to connect and perform auth.

If someone has physical access to the firewall, they can do many worse things than get network access.

G.D. Wusser Esq. · May 27, 2014, 6:55 PM

And, if someone has a gun, they can just hold it to my head, and I will tell them all the passwords and make plaintext dumps of all the databases, and copies of files. LOL ;) I am kidding.

Thank you for help, though.

In other words; pfSense, on itself or with packages, does not support 802.1X port-based authentication for wired clients? If I want that, I have to implement it separately, downstream from pfSense. Correct?

jimp · May 27, 2014, 7:03 PM

Correct.