802.1X and access control

In a network that requires 802.1X authentication for wired and wireless connection, how can I use this authentication to perform access control/outbound ip filtering?

The firewall fw3 (which is simply a configuration layer on top of linux's iptables - if I understood correctly) seems to be the default firewall on OpenWrt. Reading through the docs, it seemed that creating firewall "zones" seemed to be a good use case for me. Ideally I can create 3 zones : zoneSuperRestricted, zoneABitRestricted, zoneAllAllowed, and assign users in each zone, based on their 802.1X authenticated userid.

Is that possible?

(I am new to networking and openWrt, so don't be afraid to explain slowly :grinning_face_with_smiling_eyes: )

You might want to check https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x

If I understand it correctly, openwrt does not support wired 802.1X authentication, as professional switches do. But maybe I am wrong here.

1 Like

Yes, I saw this. It does not explicitly say wired 802.1X is not supported, but I agree it sort of feels like it, by the absence of documentation...

are you talking about the authentication(radius) or authenticator(switch) functionality?

i'm not sure many users would spring for the latter seeings as you'd be limited to ~3-4 clients per 'router'(switch)...

the former is supported albeit for advanced users with varying quirks dependant on release / daemon selection...

1 Like

I was talking about the authentication (radius).

That is great news! Do you have a few pointers to get me started?