802.1x Authentication with FreeNAS 9.10

[marove]

Hello everybody,

I've just installed FreeNAS 9.10 and have created a encrypted Z-Volume. Everything works just fine.

Now I want to plug the server into a network which requires 802.1x authentication. I'm very new to BSD so I've read some sites and it seems to work with wpa_supplicant (http://mini-it-world.blogspot.de/2013/03/freebsd-9-authenticate-to-8021x-wired.html ). I've logged into the console, and it seems that wpa_supplicant is not installed by default. I've read, that I should not install packaged directly to the system and should use jails for this but as I understand it correctly, the jails are installed on the encrypted Z-Volume, so even if I will get it running and the machine will get restarted, the machine will lose the access to the jail and can not access the network. This also means I can not unlock the encrypted volume (In the final setup, I don't have physical access to the server).

Is there any clean way to connect the server to an 802.1x Network?

It would be great if you can help me.
Regards

Marove

 

[dlavigne]

Were you able to figure out a solution for this?

 

[pschatz100]

I would pick up a wifi router that can act as a bridge to the rest of your wifi network. That way, the wifi burden is not on FreeNAS. I've been running this way for over two years. It is certainly not the least expensive solution, but is robust and gives you the flexibility to configure your network exactly the way you want it. Also, put it all on a UPS. You'll be glad you did.

 

[c32767a]

Hello everybody,

I've just installed FreeNAS 9.10 and have created a encrypted Z-Volume. Everything works just fine.

Now I want to plug the server into a network which requires 802.1x authentication.

Is there any clean way to connect the server to an 802.1x Network?

Marove

No.

Wired 802.1x requires negotiation when the network interface link comes up. Since it's not part of the current OS, the developers would have to integrate WPA_Supplicant into the base OS network stack. Even if they agreed to do it, I doubt it would happen quickly.

Your next best option would be to add an intermediate device like pschatz100 suggested. How well that works will depend on how restrictive of a policy your network admins have on your switch port. You will most likely have to do NAT on that device, since typically 802.1x requires each MAC address to authenticate.

 

[pschatz100]

Actually, a device like the Asus EA-N66 would make it quite simple to bridge to an existing wifi network - FreeNAS will not even know it is connected via wifi. Of course, there are more sophisticated options as well as faster ones. The whole point of a bridge is that it would be transparent to the system. Simple is usually better when it comes to networking.

 

[marove]

Hello Everybody,

thank you for all your answers. I think I will choose the solution with the router in between. Are there any suggestions on a gigabit router/switch which can talk 802.1x and probably does NATing?

Regards
Marove

 

[c32767a]

Hello Everybody,

thank you for all your answers. I think I will choose the solution with the router in between. Are there any suggestions on a gigabit router/switch which can talk 802.1x and probably does NATing?

Regards
Marove

I don't know the current state of the art in consumer routers that can do wired .1x, so I can't recommend anything.

You could get pfSense and run it on a piece of hardware you already have, or buy a small 2 port box from them. That would likely be the most flexible in terms of capabilities. And, if you start by running it on some hardware you already have, you can test the solution before making any investments.

 

[c32767a]

Actually, a device like the Asus EA-N66 would make it quite simple to bridge to an existing wifi network - FreeNAS will not even know it is connected via wifi. Of course, there are more sophisticated options as well as faster ones. The whole point of a bridge is that it would be transparent to the system. Simple is usually better when it comes to networking.

The Asus is an access point and only has one ethernet port. The OP asked for a solution for wired 802.1x.

 

[pschatz100]

The Asus is an access point and only has one ethernet port. The OP asked for a solution for wired 802.1x.

You are right about the OP asking about 802.1x network. I read the original post rather quickly and made a mistake thinking the goal was attaching to an 802.11 network. My bad.

However, the Asus device is a flexible little gadget that can be configured as an access point or a bridge. They are terrific for connecting a device that only has ethernet capability to a wifi network - and the best part is that, once set up, they can be managed remotely.