1
24.1 Legacy Series / ACL question regarding RADIUS traffic
« on: June 06, 2024, 09:53:30 am »
Hi
I am having a 802.1x setup and to get 802.1x (wifi) working through a opnsense FW, I have done the following steps
normalization:
disable scrub/normalization for interfaces touching the traffic
Rules:
create a rule allowing port UDP/1812 to NPS server
create a rule allowing port UDP/1813 to NPS server
create a rule allowing any UDP to NPS server (it is this rule I will like to tighten up)
the reason for last rule, is that if I dont have it, I can't get the Fragmented UDP packet through the FW, and then the radius validating fails.
background info,
we are using certificates for 802.1x so that is the reason why the packets are so large, and the need for Fragmenting the packet
Is there a way to allow the fragmented udp packet without allowing all UDP traffic to the server ?
I am having a 802.1x setup and to get 802.1x (wifi) working through a opnsense FW, I have done the following steps
normalization:
disable scrub/normalization for interfaces touching the traffic
Rules:
create a rule allowing port UDP/1812 to NPS server
create a rule allowing port UDP/1813 to NPS server
create a rule allowing any UDP to NPS server (it is this rule I will like to tighten up)
the reason for last rule, is that if I dont have it, I can't get the Fragmented UDP packet through the FW, and then the radius validating fails.
background info,
we are using certificates for 802.1x so that is the reason why the packets are so large, and the need for Fragmenting the packet
Is there a way to allow the fragmented udp packet without allowing all UDP traffic to the server ?