802.1x certificate for the wan?

[Greg_E]

I did a quick search, and most of these topics are about LAN side... Is there a way to configure the WAN to use 802.1x certificates to authenticate on the network? I have a use case where this might be needed, or at least make it nicer for the higher level IT department, and wanted to look into the topic. I looked at the webgui and didn't really see anything there, but certainly could have missed it.

Just thought I would be lazy and ask before I do a deeper dive to try and find the answer.

[viragomann]

Is there a way to configure the WAN to use 802.1x certificates to authenticate on the network?

Not clear, what you want to achieve with this in fact.

IEEE 802.1X is a network access control standard, which is not implemented in OPNsense out of the box. And certificates can be just used with it, but not necessarily.

You can install the FreeRADIUS plugin on OPN as authentication server and manage user accounts in it. But it requires an external authenticator like a switch to control the network access.
And of course this would also work on WAN.

[Patrick M. Hausen]

@viragomann Reading how Greg phrased the question, I think it's safe to assume that he wants OPNsense to authenticate to an 802.1x secured network as a client. Requirements like this exist in enterprise or uni campus space ;-)

Kind regards,
Patrick

[viragomann]

Ahh.
No idea, how to do this.

Would use MAC auth.

[pfry]

Looks like it's done via wpa_supplicant (wired and wireless) and/or hostapd (wireless only, apparently). Interface differentiation for wpa_supplicant seems to be via command-line parameter only - seems to hinder automatic setup of multiple supplicants.

[lmoore]

There isn't enough information what the WAN port would be connected to.

It could be a port on an infrastructure switch requiring authentication, we don't know.

Perhaps wpa_supplicant could be used but I don't know if one of the EAP methods supports Certificate Authentication Greg is mentioning.

This package is already installed in my OPNsense. I don't use it and I don't know if it's included in a default install.

Looking at the sample configuration file (/usr/local/etc/wpa_supplicant.conf.sample) under the "AP scanning/selection" section, the value of 0 is described as;

# AP scanning/selection
.
.
.
# 0: This mode must only be used when using wired Ethernet drivers
#    (including MACsec).

I don't know how this would be configured in OPNsense, however, this site has a configuration for a wired device - https://skybert.net/linux/wired-network-with-8021x-authentication/

[Greg_E]

It will be on a switch port that requires certificate based authentication to allow traffic and assign the port to the correct "lan". Correct "lan" is in theory a logical path back to the ISP, but again, the switches require the certificate in order to pass traffic. Right now they are bypassing this on a port by port basis. I'm waiting for some new and wonderful automation to come through and wipe out my connection. If I have the correct cert, then the automation will at least get my on a network to grab internet while I sort out the rest.

And no, I don't know why they didn't use a Radius server, we have one for other things, and the open version seems to work just fine. But they didn't and I have a feeling it was based on what Extreme Networks suggested (we are an Extreme campus) because it worked better with their fabric system.

And thanks for mentioning the wpa_supplicant. I saw that in documents and was getting confused because I was thinking only wifi. At least I have a path to look into to see if I can get to the end and test.

It also helps because I have an openWRT router that I'm going to need to do the same with. Need wired to get to internet, then internal wireless to connect 3 cameras, a control surface, and an iPad for video production (NDI | HX3) called the Birddog Maki Live. I'm going to assume that the same wpa_supplicant path will allow me to get this openWRT router on the network, don't care how many levels of NAT it uses as it only needs to get out to the web to stream.