OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: Josh on December 10, 2022, 06:11:52 pm

Title: How to configure 802.1X device certificate based EAP-TLS authentication on LAN?
Post by: Josh on December 10, 2022, 06:11:52 pm
We have been running a pfSense based network for several years, but have started considering to switch over to OPNsense. I have been reading and searching the forum, but I’m still unsure if our configuration can be achieved using OPNsense.

Our current network configuration is as follows:

- pfSense edge router:
   - WAN + LAN1 physical network interfaces
   - Certificate manager to create and manage the PKI for device certificates
   - Freeradius server configured to use EAP-TLS with 802.1X device certificates on wired and wireless LAN1
- Managed switches (ZyXEL GS1900 series)
   - Authentication method: Radius; 802.1X enabled
   - Individual switch port assignments to either LAN1 or VLAN 20 / 30 / 110 / 120 / 130
   - Global Guest VLAN 30 for fallback to devices trying to connect to LAN1 ports without a proper device certificate
- WLAN APs (Ubiquiti UniFi UAC series)
   - Separate wireless networks for LAN1, VLAN 20 / 30 / 110 / 120 / 130
   - Radius profile for wireless LAN1
   - WPA-Enterprise enabled for wireless LAN1 connections to authenticate via device certificates
   - WPA-Personal and individual VLAN enabled for all other wireless networks[/li][/list]

If a workstation is trying to connect to LAN1 either wireless or wired but without device certificate, it will automatically fall back to Guest VLAN 30. Wired connection to all VLANs is possible from dedicated switch ports without authentication. Wireless connection to all VLANs is possible with standard WPA-Personal password.

I wonder if this setup is possible with the current OPNsense release.

I’m specifically concerned about how to configure Freeradius to use 802.1X and device certificates, since I cannot seem to find the user interface to configure it. On pfSense this configuration was quite straightforward, and I was also able to find examples in the user forums on how to do it.

All guidance and advice is greatly appreciated!

I‘m seriously considering to switch over to OPNsense if I can do it with low or moderate effort. On the other hand, I do not currently have resources to start making very large-scale experiments if this something that has not been done with OPNsense before.
Title: Re: How to configure 802.1X device certificate based EAP-TLS authentication on LAN?
Post by: EdwinKM on December 10, 2022, 11:00:09 pm
Hey, i am using EAP-TLS. My laptop is the only device who can access the WLAN (primary lan without vlan). My other VLANS (MEDIA and GUEST) use normal WPA2.

You generate certificates (in opnsense) and make sure the CN is unique between server and client cert.

I am not sure about your fallback request. Maybe also possible with just your OS network manager. Is it really useful?

Note, for RADIUS you have to install a plugin. Options are quite basic though.

PS: Latest opnsense update broke my radius. Had to disable the option "Check TLS Common-Name" otherwise it would deny access. So make sure you do not use this option at this time. Probably a freeradius upstream bug.


On my linux machine then i use where "radius-client" match my client CN.

Security: WPA & WPA2 Enterprise
Authentication: TLS
Identity: radius-client
Domain: <empty>
CA certificate: RADIUS_CA.crt
No CA certificate is required: false
User certificate: RADIUS+Client+Certificate.p12
User private key: RADIUS+Client+Certificate.p12
User key password: <RADIUS_CLIENT_SECRET>