Wednesday, January 23, 2019

How to block unauthenticated 802.1x traffic using iptables?

Hi,

I've got a proxmox virtual lab and I'm struggling to setup a test 802.1x network. I used hostapd as and authenticator with external freeradius server. Hostapd machine has a bridge that bridges both the LAN and the insecure network for 802.1x supplicants. Authentication works fine with both linux and windows supplicants - unfortunately the unauthenticated traffic is passed by since hostapd did not implement any blocking of unauthenticated wired traffic. On a real managed switch - is an authenticated traffic whitelisted by mac address? Or some other way?

I know the best solution to test 802.1x setup would be to either use a physical switch or use Cisco virtual environment. I can't order a physical switch at the moment (time + location constraints) and Cisco vms are not compatible with proxmox.

Any ideas how could I make it work _fast_? Any non-cisco switching vms I could use on proxmox? openvswitch does not support 802.1x, neither does pfsense.



No comments:

Post a Comment