I am so mad right now, I spent days getting FreeRADIUS setup and now you come along and provide a great video that clearly explains all the things I have figured out the hard way! How dare you! Stop being such a good teacher!!!!
Nice to see a hands-on practical example of this. I've always considered 802.1x to be complex and expensive black magic stuff that's out of reach for small teams, but this definitely looks doable :)
Finally starting to see a real push for v6 in industry, and not just for dual stack, but for v6 only environments. In no small part due to the US OMB memorandum, but as more users have v6 natively, service providers can make a choice about their costs of which network to support
@@apalrdsadventures Support for RADIUS over TLS (RADSEC) has been added to UniFi Network 8.4 and newer versions. This requires a Client Certificate, Private Key, and CA Certificate from a supported RADIUS server. I have no idea about IPv6 tho, I'm still a IPv4 environment here.
The docs of packetfence look really ironic, to install the software you'll need to deactivate all security on the OS. On Debian deactivate Apparmor and on RHEL deactivate SELinux. For real? 😂
I run two RADIUS servers (a primary and a backup), and my Cisco switches are configured to fail-over in the event that the primary is down. You really don't want to be dependent on a single point of failure. By the way, I literally just discovered that all my Cisco switches (SG350-28) have a RADIUS server built right into them and I no longer need separate servers.
Supplicant is a pretty good term for what is happening. To Supplicate, is to humbly ask someone in power for permission/power to do/use something. The supplicant doesn't simply present credentials and demand access.
Did you enable those *horrific* auto translations, or is that forced upon you by RUclips automatically? At first I thought it was some kind of bad joke or obscure reference since it sounded exactly like some low budget infomercial, until I realized that it was 1. not even funny and 2. in a different language from what you usually upload.
@@apalrdsadventures and that is the weirdest thing.. it is a standard for almost two decades, it does work (we use it for long range dark fibre connections), some rather affordable switches from FS supported it for a while and they removed it.. very suspicious because there is no real alternative there should be an easy method to authenticate and encrypt wired devices with WPA3 without any configuration
Switch side and for switch to switch links yes it’s well supported. Direct to clients though, no. Linux can do it of course, but not Windows. I think the big driver is probably the fact that IPsec and TLS make it less important, combined with the more inherent physical authentication of 802.3 over 802.11
@@apalrdsadventures the problem is, if you can go MITM between an authenticated device and the switch, you can ride on the connection injecting frames with a spoofed MAC once the original client opened the port
I am so mad right now, I spent days getting FreeRADIUS setup and now you come along and provide a great video that clearly explains all the things I have figured out the hard way! How dare you! Stop being such a good teacher!!!!
Nice to see a hands-on practical example of this. I've always considered 802.1x to be complex and expensive black magic stuff that's out of reach for small teams, but this definitely looks doable :)
really the only black magic bit is FreeRADIUS's config language and examples
I love the push for IPv6! (And chuckle at the word "legacy" for IPv4 ^^)
Network engineering student here- begging for us to pick a standard and commit to it 😭
Finally starting to see a real push for v6 in industry, and not just for dual stack, but for v6 only environments.
In no small part due to the US OMB memorandum, but as more users have v6 natively, service providers can make a choice about their costs of which network to support
This is incredible deep labbing stuff. So cool. I’m grateful for this content, nothing like this anywhere. Congrats on your fantastic work!
Very informative and walks you through each step at a reasonable pace while occasionally pausing to provide explanatory commentation. Thanks.
Would LOVE to see a video for packetfence, unifi, and Synology directory server integration. Currently working on that myself.
oh yes packetfence is so cool i don't get why almost no one is using it
Unifi doesn't support radsec (for 802.1x... for some reason it does for WPA3), and also doesn't support IPv6 for RADIUS.
Packetfence is cool though
@@apalrdsadventures Support for RADIUS over TLS (RADSEC) has been added to UniFi Network 8.4 and newer versions. This requires a Client Certificate, Private Key, and CA Certificate from a supported RADIUS server. I have no idea about IPv6 tho, I'm still a IPv4 environment here.
@@apalrdsadventures the saga of unifi's weird gaps in IPv6 continues
The docs of packetfence look really ironic, to install the software you'll need to deactivate all security on the OS. On Debian deactivate Apparmor and on RHEL deactivate SELinux. For real? 😂
Really cool to see you doing a FreeRADIUS video. Now, all you need is to do is connect it to a LDAP. LOL I know... I know... Just teasing.
FreeRADIUS is kinda a lot for one video, but it will come I'm sure
I run two RADIUS servers (a primary and a backup), and my Cisco switches are configured to fail-over in the event that the primary is down. You really don't want to be dependent on a single point of failure. By the way, I literally just discovered that all my Cisco switches (SG350-28) have a RADIUS server built right into them and I no longer need separate servers.
Is packetfence not a better alternative?
No as you have to pay maintenance
@@damiendye6623 What do you mean by pay maintenance? as in PacketFence is unreliable and breaks, requiring fixes? Genuinely asking. Thanks!
Supplicant is a pretty good term for what is happening.
To Supplicate, is to humbly ask someone in power for permission/power to do/use something.
The supplicant doesn't simply present credentials and demand access.
Great content, thank you!
Great video, cool topic!
I’m fortunate enough to be able to run Aruba Clearpass in my home lab.
Shout outs to that orange and black harbor freight screwdriver from the multi-pack that was just on sale.
I'm getting a 404 on the blog page for this one.
fixed it!
is it possible to set this up on managed swtich, my tplink managed switch does not support 802.1x
My head hurts now 😄👍
Thx bro.
Hey that's really good video , can you make diffrent type of Network Access Control videos ?
any specifics?
Did you enable those *horrific* auto translations, or is that forced upon you by RUclips automatically?
At first I thought it was some kind of bad joke or obscure reference since it sounded exactly like some low budget infomercial, until I realized that it was 1. not even funny and 2. in a different language from what you usually upload.
It's the latest youtube experiment. Run titles through google translate, what can possibly go wrong
oh yeah youtube notified me that they will auto-translate my entire channel now and I can opt out per video.
@@apalrdsadventures RUclips back at it, 'improving' the user experience.
First ☝️🤓
> first
Macsec is the only secure way... everything else is just a small bump in the road.
Macsec is not supported by most client devices
@@apalrdsadventures and that is the weirdest thing.. it is a standard for almost two decades, it does work (we use it for long range dark fibre connections), some rather affordable switches from FS supported it for a while and they removed it.. very suspicious because there is no real alternative
there should be an easy method to authenticate and encrypt wired devices with WPA3 without any configuration
Switch side and for switch to switch links yes it’s well supported.
Direct to clients though, no. Linux can do it of course, but not Windows.
I think the big driver is probably the fact that IPsec and TLS make it less important, combined with the more inherent physical authentication of 802.3 over 802.11
@@apalrdsadventures the problem is, if you can go MITM between an authenticated device and the switch, you can ride on the connection injecting frames with a spoofed MAC once the original client opened the port