Seeking solution for (syncable) access restrictions

  • Hi,

    I'm trying to find the best solution to only allow known mac addresses in a network consisting of a central location + 3 locations (each with pfsense) connected via openvpn.
    The reason isn't security, but to hinder people with (yet) unknown devices to take part in the network for licensing (M$ cals) reasons.

    The clients shouldn't be bothered, so I can't just suddenly restrict them to using radius actively, so I wanted to do this with plain mac auth.

    Unfortunately not all switches are capable of radius authentication either.

    I'm aware that I can use static arp, but this would be a mess if I have to manually add and maintain dozens of mac addresses on each firewall separately (also users are moving between locations).

    Basically I was looking for something similar to a managed switch's radius auth with just plain macs, but on pfsense itself.

    So I found pfsense's captive portal.
    Captive portal works great for that purpose as long as the mac addresses are added directly to captive portal itself, all listed hosts can do any traffic right away WITHOUT the need to trigger anything via http first.
    But since I can't just sync the mac lists between all pfsense hosts with captive portal alone, I wanted to use it with Freeradius + plain mac auth, because freeradius can sync the macs via xmlrpc to all other hosts.

    But when I configure Captive Portal to use freeradius with plain macs, the hosts need to trigger that once by doing a http request before any other traffic is allowed (even though this is transparent, it's not a solution in my case).

    Is there any other feature I'm not aware of that works similar to a managed switch's radius auth or anything like that on pfsense that is capable of syncing a mac list?

    I looked into ipguard-dev and maybe this is the solution, but I'm a bit reluctant to use this since it's still in BETA and I'm not sure if this is the best solution for this purpose.

    Thank you very much for any ideas :)

Log in to reply