Anyone know if this is possible? Clearly the biggest security hole on any LAN is the WPApersonal password. I would love to ditch WPA and only use RADIUS for those needing whole LAN wifi access. But I don’t want to run RADIUS from the cli.
One customer’s setup: Unifi controller in the cloud and site with Unifi APs behind a Netgate 7100.
Is it possible to have RADIUS look to AD for user credentials? I tried following the OpenVPN/Radius vid instructions to set it up, but it ain’t working!
What i have is maybe not what you are looking for but it would be an awesome video for Tom or Jay to make.
My WPA2-Enterprise or WPA2-EAP PEAP network:
I have a pfSense router. I have Freeradius in a Proxmox ct with a MariaDB backend for Radius users and user groups. Every user group is assigned a vlan id. If i put user Bob in Guest 1 group with a surten vlan id he will be put in that vlan wen he logs in on my wifi network.
I have 4 separate wlan networks (vlan’s):
WLAN1 - Open / captive portal
WLAN2 - private
WLAN3 - Guests 1
WLAN4 - Guests 2
Any of the WLAN networks have different security rules, limitations and so on tailored for purpose of the users of that WLAN subnet in pfSense.
I use one wifi ssid for these dynamic assigned vlans to users so depending on who is logging in i can assign a vlan to the user by putting this user in one of the user groups i made in de database. The other ssid i use is for the open / captive portal network WLAN1.
The connections with the Freeradius server is over a TLS connection. For this i use a CA and server certificate created in pfSense cert manager.
