Dynamic VLANs without Radius possible?

[saveNAT]

Hello,

is there a way to assign devices to a VLAN based on the MAC address without using a Radius server?

[Patrick M. Hausen]

Your switch needs to do that. OPNsense only understands static VLAN interfaces which you then connect to a switch.

[saveNAT]

Your switch needs to do that. OPNsense only understands static VLAN interfaces which you then connect to a switch.

Thank you for your quick response.
I figured maybe with a firewall that powerful, there were other options.

Unfortunately, switches can't do that as far as I've found.
Dynamic VLANs are defined in 802.1x.
Unfortunately, a radius server is always assumed here as far as I've found so far!

But if someone should know a switch where dynamic VLANs without a radius are possible, please tell me.

[Patrick M. Hausen]

I figured maybe with a firewall that powerful, there were other options.

Even with a firewall that powerful you generally do not have a separate port on the firewall for each client. Dynamic VLAN membership means port based VLANs are assigned to the port a client is plugged into based on 802.1x or MAC address. You need a device that can manage each port that way. You cannot assign multiple VLANs to a single port and still keep clients separate. Multiple VLANs per port is of course possible.

Cisco can do VMPS which is a proprietary MAC based alternative to full 802.1x. I rather like it. Some of their switches can serve as VMPS servers. Alternatively - you guessed it - FreeRADIUS can be used.

Since RADIUS comes free with Windows Server or can be implemented with open source software (FreeRADIUS) on Linux, BSD, ... why are you opposed to using a RADIUS server?

P.S. Here's an open source VMPS server: https://sourceforge.net/projects/vmps/

[saveNAT]

I figured maybe with a firewall that powerful, there were other options.

Since RADIUS comes free with Windows Server or can be implemented with open source software (FreeRADIUS) on Linux, BSD, ... why are you opposed to using a RADIUS server?

I don't dislike Radus at all. I'll test it all and then I decide.
At first I planed to design the home network according to the KISS principle and Radius didn't quite fit in there.

Would it then be best to run the Radius server on a VM or better on another platform like a TRUENAS?

[Patrick M. Hausen]

It can run on a Raspberry Pi or a VM or a jail on TrueNAS ... whatever makes sense to you from an operations point of view. If you already have a FreeBSD based TrueNAS, throw it in a jail, cost in memory and diskspace is negligible.
If you already run some Linux based server 24x7, maybe use Docker or KVM. If you already have ESXi ... you get the idea.

For a home network I would take a step back and reconsider: why dynamic VLAN assignments at all?

Many devices will be wirelesss so that is solved with multiple SSIDs mapped to VLANs. Then there's static VLAN assignments to switch ports. Do you really rewire your homw network devices every other day?

[meyergru]

OpnSense has a FreeRadius server plugin (os-freeradius), so what is the problem?

If you have a Radius-capable switch, you can define as many VLANs as you like and configure the switch ports to 802.1x based on your Radius settings. I do exactly that with Unifi switches.

[saveNAT]

For a home network I would take a step back and reconsider: why dynamic VLAN assignments at all?

Many devices will be wirelesss so that is solved with multiple SSIDs mapped to VLANs. Then there's static VLAN assignments to switch ports. Do you really rewire your homw network devices every other day?

Thank you for your assessment. There are actually only two reasons that would speak for a Radius server.

First:
If someone (child, woman, guest) plugs a device into a network socket, it would be nice if the device was integrated into the corresponding VLAN.
In this case, I could perhaps switch all the ports in the switch that are not required to the guest VLAN and switch only special ports to other VLANs if required.
Would you see that as a viable alternative?

Second:
I have reachable external connections for IP cameras.
I would like to secure this as best as possible. A MAC filter is not exactly secure.Radius would be safer here.
But maybe it would also be enough here that I pack all external connections into a separate VLAN and route only the most necessary things into the corresponding VLANs via the OPNsense?

OpnSense has a FreeRadius server plugin (os-freeradius), so what is the problem?

If you have a Radius-capable switch, you can define as many VLANs as you like and configure the switch ports to 802.1x based on your Radius settings. I do exactly that with Unifi switches.

I will also look at the Radius server in my test setup.
The only question is whether the Radius server does not make the entire system extremly complex.
Are you getting along well with your Radius server?
Are there any breakdowns and how big is the maintenance effort?

[mimugmail]

A Cisco catalyst could do web based authentication, then you might not need Radius, either way, all setups will be complex with your demand

[meyergru]

If someone (child, woman, guest) plugs a device into a network socket, it would be nice if the device was integrated into the corresponding VLAN.
In this case, I could perhaps switch all the ports in the switch that are not required to the guest VLAN and switch only special ports to other VLANs if required.
Would you see that as a viable alternative?

...

I will also look at the Radius server in my test setup.
The only question is whether the Radius server does not make the entire system extremly complex.
Are you getting along well with your Radius server?
Are there any breakdowns and how big is the maintenance effort?

Those are the essential questions. This sure adds complexity. For example, you need to have ALL tagged VLANs and no untagged one, because you cannot assign a VLAN "0" in Radius and you want to have a fallback (i.e. guest or dummy) VLAN for unknown devices. To be able to attach any known device to any non-dedicated port and have it use the correct VLAN is one of the benefits of 802.1x, I would use as less dedicated ports as possible.

You also have to consider adding every new device to your configuration, probably multiple times (DHCP, DNS, plus now Radius). Even the format of the MAC is different for 802.1x than for DHCP).

Then, there is the problem of ports that have to be trunked, namely uplinks to other switches and access points. If you cannot restrict physical access to these ports, you gain nothing with regard to security. Alas, I have found no way of assigning a trunk via 802.1x.

Also, MACs can be spoofed if you only make use of more lightweight MAC-based 802.1x without certificates (which many clients do not support).

[saveNAT]

So there are only 3 options for the network sockets in the house:
1. Switch all unused ports in the switch to the guest VLAN
2. Disable all unused ports in the switch
3. Use Radius servers

Or is there maybe a simple and almost similarly good/safe way?

[meyergru]

So there are only 3 options for the network sockets in the house:
1. Switch all unused ports in the switch to the guest VLAN
2. Disable all unused ports in the switch
3. Use Radius servers

How would #1 or #2 help if you have accessable LAN ports at all?

Radius allows - in theory - to secure ports by having a kind of "lock". #1 and #2 would be like "just use another open door".

[saveNAT]

How would #1 or #2 help if you have accessable LAN ports at all?
[/quote]

Not really, but I try to find a solution without a radius server, but maybe it is the only good solution......!

If someone here has another good solution, please tell me.

[meyergru]

What I tried to say was: If you want to have a perfectly secure solution, you need to secure the physical access to at least those ports that are not secured by anything else, even without Radius.

If that is not possible, every solution is more of a cosmetic kind and probably serves the only purpose of educating you. In that case, you should try Radius to learn even more.

If you want a really secure solution, you need Radius anyway, and certificate-based Radius at that.

So I do not get the rationale of avoiding Radius. What are you really trying to accomplish? What kind of in-between would solve that purpose? Maybe I just cannot see it.

[saveNAT]

If you want a really secure solution, you need Radius anyway, and certificate-based Radius at that.

So I do not get the rationale of avoiding Radius. What are you really trying to accomplish? What kind of in-between would solve that purpose? Maybe I just cannot see it.

I understand.
So you would do the Radius authentication with a certificate for all possible devices and not over MAC.
All unknown devices (e.g. guest PC on LAN port) are then routed to a fallback VLAN (e.g. guest VLAN) by the Radius server.

Would that be the solution you would recommend or did I misunderstanding you?