802.1x certificate for the wan?

Started by Greg_E, June 18, 2026, 07:51:31 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 18, 2026, 07:51:31 PM
I did a quick search, and most of these topics are about LAN side... Is there a way to configure the WAN to use 802.1x certificates to authenticate on the network? I have a use case where this might be needed, or at least make it nicer for the higher level IT department, and wanted to look into the topic. I looked at the webgui and didn't really see anything there, but certainly could have missed it.

Just thought I would be lazy and ask before I do a deeper dive to try and find the answer.
Today at 02:59:00 PM #1
Quote from: Greg_E on June 18, 2026, 07:51:31 PMIs there a way to configure the WAN to use 802.1x certificates to authenticate on the network?
Not clear, what you want to achieve with this in fact.

IEEE 802.1X is a network access control standard, which is not implemented in OPNsense out of the box. And certificates can be just used with it, but not necessarily.

You can install the FreeRADIUS plugin on OPN as authentication server and manage user accounts in it. But it requires an external authenticator like a switch to control the network access.
And of course this would also work on WAN.
Today at 03:14:05 PM #2
@viragomann Reading how Greg phrased the question, I think it's safe to assume that he wants OPNsense to authenticate to an 802.1x secured network as a client. Requirements like this exist in enterprise or uni campus space ;-)

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 03:31:12 PM #3
Ahh.
No idea, how to do this.

Would use MAC auth.
Today at 05:18:13 PM #4
Looks like it's done via wpa_supplicant (wired and wireless) and/or hostapd (wireless only, apparently). Interface differentiation for wpa_supplicant seems to be via command-line parameter only - seems to hinder automatic setup of multiple supplicants.
Today at 05:24:26 PM #5
There isn't enough information what the WAN port would be connected to.

It could be a port on an infrastructure switch requiring authentication, we don't know.

Perhaps wpa_supplicant could be used but I don't know if one of the EAP methods supports Certificate Authentication Greg is mentioning.

This package is already installed in my OPNsense. I don't use it and I don't know if it's included in a default install.

Looking at the sample configuration file (/usr/local/etc/wpa_supplicant.conf.sample) under the "AP scanning/selection" section, the value of 0 is described as;
Quote# AP scanning/selection
.
.
.
# 0: This mode must only be used when using wired Ethernet drivers
#    (including MACsec).

I don't know how this would be configured in OPNsense, however, this site has a configuration for a wired device - https://skybert.net/linux/wired-network-with-8021x-authentication/
Print
Go Up Pages1
User actions