Hello,
is there a way to assign devices to a VLAN based on the MAC address without using a Radius server?
Your switch needs to do that. OPNsense only understands static VLAN interfaces which you then connect to a switch.
Quote from: pmhausen on January 12, 2023, 04:25:24 PM
Your switch needs to do that. OPNsense only understands static VLAN interfaces which you then connect to a switch.
Thank you for your quick response.
I figured maybe with a firewall that powerful, there were other options.
Unfortunately, switches can't do that as far as I've found.
Dynamic VLANs are defined in 802.1x.
Unfortunately, a radius server is always assumed here as far as I've found so far!
But if someone should know a switch where dynamic VLANs without a radius are possible, please tell me.
Quote from: saveNAT on January 12, 2023, 06:09:19 PM
I figured maybe with a firewall that powerful, there were other options.
Even with a firewall that powerful you generally do not have a separate port
on the firewall for each client. Dynamic VLAN membership means port based VLANs are assigned to the port a client is plugged into based on 802.1x or MAC address. You need a device that can manage each port that way. You cannot assign multiple VLANs to a single port
and still keep clients separate. Multiple VLANs per port is of course possible.
Cisco can do VMPS which is a proprietary MAC based alternative to full 802.1x. I rather like it. Some of their switches can serve as VMPS servers. Alternatively - you guessed it - FreeRADIUS can be used.
Since RADIUS comes free with Windows Server or can be implemented with open source software (FreeRADIUS) on Linux, BSD, ... why are you opposed to using a RADIUS server?
P.S. Here's an open source VMPS server: https://sourceforge.net/projects/vmps/
Quote from: pmhausen on January 12, 2023, 06:30:33 PM
Quote from: saveNAT on January 12, 2023, 06:09:19 PM
I figured maybe with a firewall that powerful, there were other options.
Since RADIUS comes free with Windows Server or can be implemented with open source software (FreeRADIUS) on Linux, BSD, ... why are you opposed to using a RADIUS server?
I don't dislike Radus at all. I'll test it all and then I decide.
At first I planed to design the home network according to the KISS principle and Radius didn't quite fit in there. :D
Would it then be best to run the Radius server on a VM or better on another platform like a TRUENAS?
It can run on a Raspberry Pi or a VM or a jail on TrueNAS ... whatever makes sense to you from an operations point of view. If you already have a FreeBSD based TrueNAS, throw it in a jail, cost in memory and diskspace is negligible.
If you already run some Linux based server 24x7, maybe use Docker or KVM. If you already have ESXi ... you get the idea.
For a home network I would take a step back and reconsider: why dynamic VLAN assignments at all?
Many devices will be wirelesss so that is solved with multiple SSIDs mapped to VLANs. Then there's static VLAN assignments to switch ports. Do you really rewire your homw network devices every other day?
OpnSense has a FreeRadius server plugin (os-freeradius), so what is the problem?
If you have a Radius-capable switch, you can define as many VLANs as you like and configure the switch ports to 802.1x based on your Radius settings. I do exactly that with Unifi switches.
Quote from: pmhausen on January 12, 2023, 09:42:44 PM
For a home network I would take a step back and reconsider: why dynamic VLAN assignments at all?
Many devices will be wirelesss so that is solved with multiple SSIDs mapped to VLANs. Then there's static VLAN assignments to switch ports. Do you really rewire your homw network devices every other day?
Thank you for your assessment. There are actually only two reasons that would speak for a Radius server.
First:
If someone (child, woman, guest) plugs a device into a network socket, it would be nice if the device was integrated into the corresponding VLAN.
In this case, I could perhaps switch all the ports in the switch that are not required to the guest VLAN and switch only special ports to other VLANs if required.
Would you see that as a viable alternative?
Second:
I have reachable external connections for IP cameras.
I would like to secure this as best as possible. A MAC filter is not exactly secure.Radius would be safer here.
But maybe it would also be enough here that I pack all external connections into a separate VLAN and route only the most necessary things into the corresponding VLANs via the OPNsense?
Quote from: meyergru on January 13, 2023, 02:17:18 AM
OpnSense has a FreeRadius server plugin (os-freeradius), so what is the problem?
If you have a Radius-capable switch, you can define as many VLANs as you like and configure the switch ports to 802.1x based on your Radius settings. I do exactly that with Unifi switches.
I will also look at the Radius server in my test setup.
The only question is whether the Radius server does not make the entire system extremly complex.
Are you getting along well with your Radius server?
Are there any breakdowns and how big is the maintenance effort?
A Cisco catalyst could do web based authentication, then you might not need Radius, either way, all setups will be complex with your demand
Quote from: saveNAT on January 13, 2023, 08:08:09 AM
If someone (child, woman, guest) plugs a device into a network socket, it would be nice if the device was integrated into the corresponding VLAN.
In this case, I could perhaps switch all the ports in the switch that are not required to the guest VLAN and switch only special ports to other VLANs if required.
Would you see that as a viable alternative?
...
I will also look at the Radius server in my test setup.
The only question is whether the Radius server does not make the entire system extremly complex.
Are you getting along well with your Radius server?
Are there any breakdowns and how big is the maintenance effort?
Those are the essential questions. This sure adds complexity. For example, you need to have ALL tagged VLANs and no untagged one, because you cannot assign a VLAN "0" in Radius and you want to have a fallback (i.e. guest or dummy) VLAN for unknown devices. To be able to attach any known device to any non-dedicated port and have it use the correct VLAN is one of the benefits of 802.1x, I would use as less dedicated ports as possible.
You also have to consider adding every new device to your configuration, probably multiple times (DHCP, DNS, plus now Radius). Even the format of the MAC is different for 802.1x than for DHCP).
Then, there is the problem of ports that have to be trunked, namely uplinks to other switches and access points. If you cannot restrict physical access to these ports, you gain nothing with regard to security. Alas, I have found no way of assigning a trunk via 802.1x.
Also, MACs can be spoofed if you only make use of more lightweight MAC-based 802.1x without certificates (which many clients do not support).
So there are only 3 options for the network sockets in the house:
1. Switch all unused ports in the switch to the guest VLAN
2. Disable all unused ports in the switch
3. Use Radius servers
Or is there maybe a simple and almost similarly good/safe way?
Quote from: saveNAT on January 13, 2023, 02:51:00 PM
So there are only 3 options for the network sockets in the house:
1. Switch all unused ports in the switch to the guest VLAN
2. Disable all unused ports in the switch
3. Use Radius servers
How would #1 or #2 help if you have accessable LAN ports at all?
Radius allows - in theory - to secure ports by having a kind of "lock". #1 and #2 would be like "just use another open door".
Quote from: meyergru on January 13, 2023, 04:47:17 PM
How would #1 or #2 help if you have accessable LAN ports at all?
[/quote]
Not really, but I try to find a solution without a radius server, but maybe it is the only good solution......!
If someone here has another good solution, please tell me. :)
What I tried to say was: If you want to have a perfectly secure solution, you need to secure the physical access to at least those ports that are not secured by anything else, even without Radius.
If that is not possible, every solution is more of a cosmetic kind and probably serves the only purpose of educating you. In that case, you should try Radius to learn even more.
If you want a really secure solution, you need Radius anyway, and certificate-based Radius at that.
So I do not get the rationale of avoiding Radius. What are you really trying to accomplish? What kind of in-between would solve that purpose? Maybe I just cannot see it.
Quote from: meyergru on January 13, 2023, 09:58:29 PM
If you want a really secure solution, you need Radius anyway, and certificate-based Radius at that.
So I do not get the rationale of avoiding Radius. What are you really trying to accomplish? What kind of in-between would solve that purpose? Maybe I just cannot see it.
I understand.
So you would do the Radius authentication with a certificate for all possible devices and not over MAC.
All unknown devices (e.g. guest PC on LAN port) are then routed to a fallback VLAN (e.g. guest VLAN) by the Radius server.
Would that be the solution you would recommend or did I misunderstanding you?
I do not recommend that as a "solution" to you, as I said I am still not grasping what you want to accomplish.
If it is indeed full security, Radius with certificates is what is being used as the most secure standard in the industry.
However, ask yourself these questions:
1. Can you limit physical access to ports that have to be trunked?
2. Are all of your devices capable of employing certificates?
3. Is that too much hassle fpr a home installation (think of the CA you must create and the deployment process)?
Quote from: meyergru on January 14, 2023, 04:30:14 PM
However, ask yourself these questions:
1. Can you limit physical access to ports that have to be trunked?
2. Are all of your devices capable of employing certificates?
3. Is that too much hassle fpr a home installation (think of the CA you must create and the deployment process)?
1. No, I can't prevent access to the trunk ports, because the access points are connected to the network sockets. But this case doesn't worry me in the home network either and even my children won't unplug the AP.
2. Yes, cameras, PCs, etc. would capable of employing certificates. Only IoT or something like that, might have to use Radius with MAC.
3. So I think authentication by certificate would only be necessary for the cameras on the outside. The rest could be authenticated with Radius per MAC. Is creating such a certificate very complicated?
And how do you do that in your home networks?
Do you also have several VLANs and are they dynamic or static and do you have something for guests?
I have VLANs for LAN, Management, IoT, Guests and DMZ. I use Radius only MAC-based because my answers are:
1. No.
2. No.
3. Yes.
As for certificate-based Radius: I think it is less complicated to create a CA than to assign each device a certificate and provision them.
My goal was not to reach 100% security, rather to make VLAN assignments more centrally manageable, so that I can use any LAN terminal for any device. That being said, if I had externally accessible ports for IP cams, I would rather assign those static VLANs than to try to provision them with certificates.
Quote from: meyergru on January 14, 2023, 06:05:29 PM
My goal was not to reach 100% security, rather to make VLAN assignments more centrally manageable, so that I can use any LAN terminal for any device. That being said, if I had externally accessible ports for IP cams, I would rather assign those static VLANs than to try to provision them with certificates.
I really like your solution. I could well imagine that.
Except for the external connections, here a static VLAN only for the cameras including firewall rule and if necessary radius per certificate would be the best solution.
Quote from: meyergru on January 14, 2023, 06:05:29 PM
I have VLANs for LAN, Management, IoT, Guests and DMZ.
Do you then have a trunk port from the OPNsense to the switch or is each VLAN a physical port on the OPNsense that goes to the switch?
Unknown MACs then automatically go into the guest VLAN in your home network?
And how did you solve it with the WLAN? Only one SSID and also by radius or one SSID for each VLAN?
Yes, it is one trunk port for OpnSense, but that is via an SFP+ via DAC because traffic may pass it twice when traversing VLANs. You also need trunk ports for switches, VM hosts and APs. The latter distribute a subset of the VLANs as separate SSIDs (obviously not Management and DMZ).
The guest VLAN is the default fallback VLAN for unknown clients.