I am so mad right now, I spent days getting FreeRADIUS setup and now you come along and provide a great video that clearly explains all the things I have figured out the hard way! How dare you! Stop being such a good teacher!!!!
Finally starting to see a real push for v6 in industry, and not just for dual stack, but for v6 only environments. In no small part due to the US OMB memorandum, but as more users have v6 natively, service providers can make a choice about their costs of which network to support
Nice to see a hands-on practical example of this. I've always considered 802.1x to be complex and expensive black magic stuff that's out of reach for small teams, but this definitely looks doable :)
@@apalrdsadventures Support for RADIUS over TLS (RADSEC) has been added to UniFi Network 8.4 and newer versions. This requires a Client Certificate, Private Key, and CA Certificate from a supported RADIUS server. I have no idea about IPv6 tho, I'm still a IPv4 environment here.
The docs of packetfence look really ironic, to install the software you'll need to deactivate all security on the OS. On Debian deactivate Apparmor and on RHEL deactivate SELinux. For real? 😂
Supplicant is a pretty good term for what is happening. To Supplicate, is to humbly ask someone in power for permission/power to do/use something. The supplicant doesn't simply present credentials and demand access.
I run two RADIUS servers (a primary and a backup), and my Cisco switches are configured to fail-over in the event that the primary is down. You really don't want to be dependent on a single point of failure. By the way, I literally just discovered that all my Cisco switches (SG350-28) have a RADIUS server built right into them and I no longer need separate servers.
fdxx is part of the unique local address space, and there's no reason to use ULA space on a network which has GUA space. The site-local space (fec0) has been deprecated for awhile.
@@apalrdsadventures No reason? Unless you have a contracted fixed IP your ISP can change your prefix. It may be stable but when the time comes for it to change do you really want to reconfigure every device (and likely forget some services)?
Thank you for this great video and tutorial!!! I think there is an error during server certificate generation: "cat root.pem > $sr.crt" should be "cat root.pem >> $sv.crt". Actually the first command does nothing and everything works fine, so it is probably unnecessary. Furthermore, can you explain the necessity of the "verify" section with the external openssl command in FreeRadius config? I did not set it in a previous setup. Am I running any risk?
the verify command is executed by FreeRADIUS to validate the certificate tbh I have no idea why FreeRADIUS has both a verify command and also the root cert. The documentation doesn't seem to say either.
@apalrdsadventures I think that client certificate is verified by default without the need of “external validation”. In debug log you can read: “eap_tls: (TLS) TLS - Setting verify mode to require certificate from client”. Edit: Ok, I got it. External verification is required if you want OCSP. Furthermore, I had to disable tlscache in radsec, otherwise my clients failed to authenticate via UniFi APs. I tried with Apple devices only. Also, for iOS devices, client certificates must have DNS name in SAN attribute (the same as CN) ;)
I just want dynamic VLAN selection that isn’t proprietary and legacy VMPS. I suppose secure connections would be a bonus but I need it to be able to handle all sorts of old lab equipment not just modern computers. Not sure if it’s worth it in my case.
RADIUS can carry VLAN assignment (from its database) along with an access accept. It's a bit too long to get into in this video, but it's certainly a feature of 802.1x, and it can also be used with MAC-based auth.
I wonder how bad this would be to setup along with smartports for a voice VLAN and production workstations. I have VOIP handsets that pass through the network to their respective workstation and this looks like a lot to chain together.
I don't think it's too bad but TBH I don't have experience. I think the OUI-based voice VLAN would bypass the dot1x auth and the workstations would authenticate directly.
@@NetBandit70 You can probably also use dot1x on the phones but forging a MAC address is a known weakness of dot1x. Basically if you put a dumb switch between the supplicant and the managed switch then everything on the dumb switch gets network access.
Wait if radius got compromised then all traffic is compromised because i trust their CA? So someone can MITM when i visit google for example.. in case of stealing CA that i trust?
The CA is only used to secure authentication traffic (deciding to allow a user onto the network or not), so a RADIUS compromise gets you back to having no authentication on wired switch ports (which is probably what you have now).
Did you enable those *horrific* auto translations, or is that forced upon you by TH-cam automatically? At first I thought it was some kind of bad joke or obscure reference since it sounded exactly like some low budget infomercial, until I realized that it was 1. not even funny and 2. in a different language from what you usually upload.
Okay, it looks like they are only auto-translating *going forward*, my previous videos were not translated. So I just have to delete all of the auto-translations each time I upload.
@@apalrdsadventures and that is the weirdest thing.. it is a standard for almost two decades, it does work (we use it for long range dark fibre connections), some rather affordable switches from FS supported it for a while and they removed it.. very suspicious because there is no real alternative there should be an easy method to authenticate and encrypt wired devices with WPA3 without any configuration
Switch side and for switch to switch links yes it’s well supported. Direct to clients though, no. Linux can do it of course, but not Windows. I think the big driver is probably the fact that IPsec and TLS make it less important, combined with the more inherent physical authentication of 802.3 over 802.11
@@apalrdsadventures the problem is, if you can go MITM between an authenticated device and the switch, you can ride on the connection injecting frames with a spoofed MAC once the original client opened the port
@@timkreis8543 Yes that is a major weakness. If the cabling is not in a physically secured area you should configure the network so that no access to sensitive networks is granted. As apalrd hinted, use a VPN if you need access from untrusted locations.
I am so mad right now, I spent days getting FreeRADIUS setup and now you come along and provide a great video that clearly explains all the things I have figured out the hard way! How dare you! Stop being such a good teacher!!!!
No better way to learn imo.
I've never once had a pain-free RADIUS experience.
This is incredible deep labbing stuff. So cool. I’m grateful for this content, nothing like this anywhere. Congrats on your fantastic work!
I love the push for IPv6! (And chuckle at the word "legacy" for IPv4 ^^)
Network engineering student here- begging for us to pick a standard and commit to it 😭
Finally starting to see a real push for v6 in industry, and not just for dual stack, but for v6 only environments.
In no small part due to the US OMB memorandum, but as more users have v6 natively, service providers can make a choice about their costs of which network to support
@@Arian-gm4rx network engineer here. I agree!
Really cool to see you doing a FreeRADIUS video. Now, all you need is to do is connect it to a LDAP. LOL I know... I know... Just teasing.
FreeRADIUS is kinda a lot for one video, but it will come I'm sure
Nice to see a hands-on practical example of this. I've always considered 802.1x to be complex and expensive black magic stuff that's out of reach for small teams, but this definitely looks doable :)
really the only black magic bit is FreeRADIUS's config language and examples
Would LOVE to see a video for packetfence, unifi, and Synology directory server integration. Currently working on that myself.
oh yes packetfence is so cool i don't get why almost no one is using it
Unifi doesn't support radsec (for 802.1x... for some reason it does for WPA3), and also doesn't support IPv6 for RADIUS.
Packetfence is cool though
@@apalrdsadventures Support for RADIUS over TLS (RADSEC) has been added to UniFi Network 8.4 and newer versions. This requires a Client Certificate, Private Key, and CA Certificate from a supported RADIUS server. I have no idea about IPv6 tho, I'm still a IPv4 environment here.
@@apalrdsadventures the saga of unifi's weird gaps in IPv6 continues
The docs of packetfence look really ironic, to install the software you'll need to deactivate all security on the OS. On Debian deactivate Apparmor and on RHEL deactivate SELinux. For real? 😂
Very informative and walks you through each step at a reasonable pace while occasionally pausing to provide explanatory commentation. Thanks.
Thank you for the ipv6 buzz podcast drop, subscribed to them now!
Supplicant is a pretty good term for what is happening.
To Supplicate, is to humbly ask someone in power for permission/power to do/use something.
The supplicant doesn't simply present credentials and demand access.
I run two RADIUS servers (a primary and a backup), and my Cisco switches are configured to fail-over in the event that the primary is down. You really don't want to be dependent on a single point of failure. By the way, I literally just discovered that all my Cisco switches (SG350-28) have a RADIUS server built right into them and I no longer need separate servers.
@28:15 - why did you not use the Site-local ipv6 (fdxx::) address?
for the client (sw5) to access the radius server.
fdxx is part of the unique local address space, and there's no reason to use ULA space on a network which has GUA space.
The site-local space (fec0) has been deprecated for awhile.
@@apalrdsadventures No reason? Unless you have a contracted fixed IP your ISP can change your prefix. It may be stable but when the time comes for it to change do you really want to reconfigure every device (and likely forget some services)?
@@eDoc2020 well said, plus you don't want direct access to internet from local subnet without a way to block/filter/change/etc...
@@apalrdsadventures can web super subnet fdxx to a lower set of ipv6-address like say a /120 or /115, etc.. ????
You should never use a subnet mask other than /64 in IPv6. Of course route aggregates are larger.
Excellent job here.
Is packetfence not a better alternative?
No as you have to pay maintenance
@@damiendye6623 What do you mean by pay maintenance? as in PacketFence is unreliable and breaks, requiring fixes? Genuinely asking. Thanks!
I’m fortunate enough to be able to run Aruba Clearpass in my home lab.
Great video, cool topic!
Shout outs to that orange and black harbor freight screwdriver from the multi-pack that was just on sale.
A fun fact for Mikrotiks: They can also act as RADIUS servers with the help of a package called User Manager
Great content, thank you!
My head hurts now 😄👍
Thank you for this great video and tutorial!!! I think there is an error during server certificate generation: "cat root.pem > $sr.crt" should be "cat root.pem >> $sv.crt". Actually the first command does nothing and everything works fine, so it is probably unnecessary. Furthermore, can you explain the necessity of the "verify" section with the external openssl command in FreeRadius config? I did not set it in a previous setup. Am I running any risk?
the verify command is executed by FreeRADIUS to validate the certificate
tbh I have no idea why FreeRADIUS has both a verify command and also the root cert. The documentation doesn't seem to say either.
@apalrdsadventures I think that client certificate is verified by default without the need of “external validation”. In debug log you can read: “eap_tls: (TLS) TLS - Setting verify mode to require certificate from client”.
Edit: Ok, I got it. External verification is required if you want OCSP.
Furthermore, I had to disable tlscache in radsec, otherwise my clients failed to authenticate via UniFi APs. I tried with Apple devices only. Also, for iOS devices, client certificates must have DNS name in SAN attribute (the same as CN) ;)
... aand subscribed!
I just want dynamic VLAN selection that isn’t proprietary and legacy VMPS. I suppose secure connections would be a bonus but I need it to be able to handle all sorts of old lab equipment not just modern computers. Not sure if it’s worth it in my case.
RADIUS can carry VLAN assignment (from its database) along with an access accept. It's a bit too long to get into in this video, but it's certainly a feature of 802.1x, and it can also be used with MAC-based auth.
is it possible to set this up on managed swtich, my tplink managed switch does not support 802.1x
If your switch doesn't support dot1x then you can't use dot1x. It usually isn't available in the lowest end "smart" switches.
I wonder how bad this would be to setup along with smartports for a voice VLAN and production workstations. I have VOIP handsets that pass through the network to their respective workstation and this looks like a lot to chain together.
I don't think it's too bad but TBH I don't have experience. I think the OUI-based voice VLAN would bypass the dot1x auth and the workstations would authenticate directly.
@@eDoc2020 If all that has to be done is forge a MAC address, dot1x would be worthless.
@@NetBandit70 You can probably also use dot1x on the phones but forging a MAC address is a known weakness of dot1x. Basically if you put a dumb switch between the supplicant and the managed switch then everything on the dumb switch gets network access.
Thx🎉
Wait if radius got compromised then all traffic is compromised because i trust their CA? So someone can MITM when i visit google for example.. in case of stealing CA that i trust?
The CA is only used to secure authentication traffic (deciding to allow a user onto the network or not), so a RADIUS compromise gets you back to having no authentication on wired switch ports (which is probably what you have now).
I'm getting a 404 on the blog page for this one.
fixed it!
Thx bro.
Hey that's really good video , can you make diffrent type of Network Access Control videos ?
any specifics?
Did you enable those *horrific* auto translations, or is that forced upon you by TH-cam automatically?
At first I thought it was some kind of bad joke or obscure reference since it sounded exactly like some low budget infomercial, until I realized that it was 1. not even funny and 2. in a different language from what you usually upload.
It's the latest youtube experiment. Run titles through google translate, what can possibly go wrong
oh yeah youtube notified me that they will auto-translate my entire channel now and I can opt out per video.
@@apalrdsadventures TH-cam back at it, 'improving' the user experience.
Okay, it looks like they are only auto-translating *going forward*, my previous videos were not translated. So I just have to delete all of the auto-translations each time I upload.
Mid video t-shirt change threw me off!
First ☝️🤓
> first
Macsec is the only secure way... everything else is just a small bump in the road.
Macsec is not supported by most client devices
@@apalrdsadventures and that is the weirdest thing.. it is a standard for almost two decades, it does work (we use it for long range dark fibre connections), some rather affordable switches from FS supported it for a while and they removed it.. very suspicious because there is no real alternative
there should be an easy method to authenticate and encrypt wired devices with WPA3 without any configuration
Switch side and for switch to switch links yes it’s well supported.
Direct to clients though, no. Linux can do it of course, but not Windows.
I think the big driver is probably the fact that IPsec and TLS make it less important, combined with the more inherent physical authentication of 802.3 over 802.11
@@apalrdsadventures the problem is, if you can go MITM between an authenticated device and the switch, you can ride on the connection injecting frames with a spoofed MAC once the original client opened the port
@@timkreis8543 Yes that is a major weakness. If the cabling is not in a physically secured area you should configure the network so that no access to sensitive networks is granted. As apalrd hinted, use a VPN if you need access from untrusted locations.