802.1X authenticator for FreeBSD

[Peter Blok]

Although WPA2 enterprise authentication works perfectly on FreeBSD with free radius, some functionality (like the built in DHCP) is not implemented due to lack of PF_LINK, SOCK_RAW. FreeBSD uses bpf for this.

Don’t know if this is required for what you want, but be aware.

I am interested in switch port authentication, but haven’t found the time to dig into the matter. And I refuse to use Linux….

Peter

> On 20 Oct 2017, at 07:32, Peter Ankerstål <peter at pean.org> wrote:
> 
> 
> 
>> On 18 Oct 2017, at 21:39, Charles Sprickman <spork at bway.net> wrote:
>> 
>> 
>>> On Oct 18, 2017, at 1:10 PM, Peter Ankerstål <peter at pean.org> wrote:
>>> 
>>>> 
>>>> I’m under the impression that the authenticator function in a wired network is usually part of the switch, and the switch will talk to some authentication server like RADIUS, giving it the port number of the connected device and additional information.
>>>> 
>>>> If FreeBSD had such a function, I think it would be limited to point-to-point Ethernet links, 802.1x being a link-layer protocol.
>>>> 
>>> 
>>> Yes I know, but this is functional in hostapd for Linux and it would be nice to have it in FreeBSD as well. 
>> 
>> I’m not seeing this in FreeBSD, but pfsense does claim to support 802.1x for wifi.
>> 
>> I just happen to be reading about radius (last I used it was for dialup) for wifi auth and the quick overview on the radius side of things is that the AP software sends your auth info as well as MAC and a bunch of other stuff, and the radius server (much like dialup) sends back all sorts of info beyond auth success/fail - session timeout, info on what VLAN the client may be on, firewall policies, etc. Pretty cool stuff.
> 
> 802.1X (or WPA2 Enterprise) works fine with hostapd for wireless in FreeBSD. Well, the authentication at least. I havent tried assigning clients to specific vlans and so on but according to the documentation it is possible.