From owner-freebsd-stable@freebsd.org Sat Oct 21 16:05:06 2017 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F0055E31E9A for ; Sat, 21 Oct 2017 16:05:06 +0000 (UTC) (envelope-from pblok@bsd4all.org) Received: from smtpq1.mnd.mail.iss.as9143.net (smtpq1.mnd.mail.iss.as9143.net [212.54.34.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A6EBE34F4 for ; Sat, 21 Oct 2017 16:05:06 +0000 (UTC) (envelope-from pblok@bsd4all.org) Received: from [212.54.34.117] (helo=smtp9.mnd.mail.iss.as9143.net) by smtpq1.mnd.mail.iss.as9143.net with esmtp (Exim 4.86_2) (envelope-from ) id 1e5vy3-0002ZT-7t; Sat, 21 Oct 2017 17:45:43 +0200 Received: from 5ed15678.cm-7-2b.dynamic.ziggo.nl ([94.209.86.120] helo=wan0.bsd4all.org) by smtp9.mnd.mail.iss.as9143.net with esmtp (Exim 4.86_2) (envelope-from ) id 1e5vy3-0002ux-65; Sat, 21 Oct 2017 17:45:43 +0200 Received: from newnas (localhost [127.0.0.1]) by wan0.bsd4all.org (Postfix) with ESMTP id B61FC1587; Sat, 21 Oct 2017 17:45:41 +0200 (CEST) X-Virus-Scanned: amavisd-new at bsd4all.org Received: from wan0.bsd4all.org ([127.0.0.1]) by newnas (newnas.bsd4all.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDpPX11tRCo9; Sat, 21 Oct 2017 17:45:40 +0200 (CEST) Received: from [192.168.1.65] (unknown [192.168.1.65]) by wan0.bsd4all.org (Postfix) with ESMTPSA id 672C5157E; Sat, 21 Oct 2017 17:45:40 +0200 (CEST) From: Peter Blok Message-Id: <90C2260F-D7E1-4EF6-824C-EA90C09F0B82@bsd4all.org> Mime-Version: 1.0 (Mac OS X Mail 11.0 \(3445.1.7\)) Subject: Re: 802.1X authenticator for FreeBSD Date: Sat, 21 Oct 2017 17:45:39 +0200 In-Reply-To: <82E419D4-4FB4-402A-ACC9-C58D498461BE@pean.org> Cc: Charles Sprickman , FreeBSD Stable , Stefan Bethke , Chris Ross To: =?utf-8?Q?Peter_Ankerst=C3=A5l?= References: <2D461E1D-895F-4D31-9834-A40DEF02F121@pean.org> <4F45AC20-57F9-4246-836E-4F1C1D01FAC2@lassitu.de> <2B2D49E0-F804-4557-9DB5-A915A8578070@pean.org> <3F040A9B-B03F-4FD5-B1DC-70BD8AFCC829@bway.net> <82E419D4-4FB4-402A-ACC9-C58D498461BE@pean.org> X-Mailer: Apple Mail (2.3445.1.7) X-SourceIP: 94.209.86.120 X-Ziggo-spambar: / X-Ziggo-spamscore: 0.0 X-Ziggo-spamreport: CMAE Analysis: v=2.2 cv=Ien3YSia c=1 sm=1 tr=0 a=IkzOOneQUJP1+bAPekPvBg==:17 a=02M-m0pO-4AA:10 a=gzIrl_mWAAAA:8 a=lRtnlflVAAAA:8 a=j7r-GKrtSyq1zGFfhBcA:9 a=FO2cA_3j9GB_WUFG:21 a=xlTNuSEipGDSkxwY:21 a=QEXdDO2ut3YA:10 a=Fr6vun-eYi2vG8jWhf4A:9 a=_77-ApVQDMQAEWkF:21 a=U2UqtHgbd42aNc5_:21 a=qgJ7nPtozRJkc6WM:21 a=_W_S_7VecoQA:10 a=fbBnRoMp3JsphMan6DzI:22 a=203WYvXZLHx0qCticVN7:22 none X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 16:05:07 -0000 Although WPA2 enterprise authentication works perfectly on FreeBSD with = free radius, some functionality (like the built in DHCP) is not = implemented due to lack of PF_LINK, SOCK_RAW. FreeBSD uses bpf for this. Don=E2=80=99t know if this is required for what you want, but be aware. I am interested in switch port authentication, but haven=E2=80=99t found = the time to dig into the matter. And I refuse to use Linux=E2=80=A6. Peter > On 20 Oct 2017, at 07:32, Peter Ankerst=C3=A5l wrote: >=20 >=20 >=20 >> On 18 Oct 2017, at 21:39, Charles Sprickman wrote: >>=20 >>=20 >>> On Oct 18, 2017, at 1:10 PM, Peter Ankerst=C3=A5l = wrote: >>>=20 >>>>=20 >>>> I=E2=80=99m under the impression that the authenticator function in = a wired network is usually part of the switch, and the switch will talk = to some authentication server like RADIUS, giving it the port number of = the connected device and additional information. >>>>=20 >>>> If FreeBSD had such a function, I think it would be limited to = point-to-point Ethernet links, 802.1x being a link-layer protocol. >>>>=20 >>>=20 >>> Yes I know, but this is functional in hostapd for Linux and it would = be nice to have it in FreeBSD as well.=20 >>=20 >> I=E2=80=99m not seeing this in FreeBSD, but pfsense does claim to = support 802.1x for wifi. >>=20 >> I just happen to be reading about radius (last I used it was for = dialup) for wifi auth and the quick overview on the radius side of = things is that the AP software sends your auth info as well as MAC and a = bunch of other stuff, and the radius server (much like dialup) sends = back all sorts of info beyond auth success/fail - session timeout, info = on what VLAN the client may be on, firewall policies, etc. Pretty cool = stuff. >=20 > 802.1X (or WPA2 Enterprise) works fine with hostapd for wireless in = FreeBSD. Well, the authentication at least. I havent tried assigning = clients to specific vlans and so on but according to the documentation = it is possible.