Posted inNetworking

Stop the ‘Open Port’ Risk: Building 802.1X Wired Security with FreeRADIUS

Networking tutorial - IT technology blog
Networking tutorial - IT technology blog

The Gaping Security Hole in Your Office

Walk into almost any mid-sized office, find a vacant desk, and plug a laptop into the wall. More often than not, you’ll instantly get an IP address and a direct line to internal file servers or sensitive databases. It’s a massive vulnerability hidden in plain sight.

We’ve spent decades perfecting physical security with badge scanners and smart locks. Yet, once a visitor or an intruder is past the front desk, the network ports are usually “hot.” Relying on an “open by default” policy is a recipe for a data breach. If you manage a network handling private client data or proprietary code, you can’t afford to leave your physical ports wide open.

Why Your Switch is Too Trusting

Standard Layer 2 switches are designed for convenience, not gatekeeping. By default, a switch port sits in an unauthenticated state but starts moving traffic the moment it detects a link. The switch doesn’t ask for ID. It simply logs the MAC address and begins forwarding frames immediately.

This lack of identity-based control means that even an enterprise-grade firewall won’t save you. If an attacker sits behind your perimeter, they are already inside the house. The root cause is the absence of a gatekeeper at the port level—someone to demand credentials before the data path actually opens.

Stop Using Half-Measures

Before we dive into the setup, let’s look at why common “quick fixes” usually fail in real-world environments.

  • MAC Filtering: You create a whitelist of allowed devices. For a 50-person team, you’re suddenly managing 100+ unique identifiers. It’s a manual, error-prone nightmare. Worse, spoofing a MAC address takes about 10 seconds with basic command-line tools.
  • Static IP Mapping: You only allow specific IPs to communicate. An attacker can simply sniff the network traffic for two minutes, identify your subnet, and manually assign themselves an unused address.
  • 802.1X (The Gold Standard): This protocol uses EAP (Extensible Authentication Protocol) to verify identity before a single data packet is allowed through. It requires three parts: the Supplicant (the laptop), the Authenticator (the switch), and the Authentication Server (RADIUS).

In my experience, mastering 802.1X is the most effective way to shift security from “where you are plugged in” to “who you are.” It ensures only authorized hardware gets a link-light that actually carries data.

Building Your Lab: FreeRADIUS and Linux

You don’t need a $5,000 enterprise switch to learn this. We can build a fully functional lab using a Linux server as a virtual switch. We’ll use FreeRADIUS as the brain and hostapd as our authenticator.

Step 1: Setting up the FreeRADIUS Bouncer

First, install FreeRADIUS on an Ubuntu or Debian system. This server will act as your central database for allowed devices.

sudo apt update
sudo apt install freeradius freeradius-utils -y

Next, define your “Client.” In the RADIUS world, the client is the switch itself, not the end-user. Edit /etc/freeradius/3.0/clients.conf to add your virtual switch.

# Add this to /etc/freeradius/3.0/clients.conf
client lab_switch {
    ipaddr = 127.0.0.1
    secret = testing123
}

Now, create a user in /etc/freeradius/3.0/users. This is the credential the laptop will provide to gain access.

# Add this to the top of /etc/freeradius/3.0/users
"itfromzero_user" Cleartext-Password := "secure_password_2026"
    Reply-Message = "Welcome to the Secure Network"

Restart the service to lock in the changes:

sudo systemctl restart freeradius

Step 2: Configuring the Virtual Switch

In a production office, you’d use a Cisco or Juniper switch. For our lab, we’ll use hostapd to handle the 802.1X state machine on a standard Ethernet port.

sudo apt install hostapd bridge-utils -y

Create a config file at /etc/hostapd/wired-8021x.conf. Replace eth1 with the interface you want to lock down.

# /etc/hostapd/wired-8021x.conf
interface=eth1
driver=wired
ieee8021x=1

# RADIUS server settings
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123

When you start hostapd, eth1 will effectively go into a “blocked” state. It won’t pass traffic until a successful EAP handshake occurs.

Step 3: Configuring the Supplicant

The client device must know how to speak 802.1X. On Linux, we use wpa_supplicant. Create a file named wired-client.conf on the client machine:

# wired-client.conf
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0 # Required for wired 802.1X

network={
    key_mgmt=IEEE8021X
    eap=MD5 # Using MD5 for lab simplicity; use PEAP/TLS in production
    identity="itfromzero_user"
    password="secure_password_2026"
}

Run the following to initiate the connection:

sudo wpa_supplicant -Dwired -i eth0 -c wired-client.conf

Troubleshooting Like a Pro

If things aren’t working, stop the FreeRADIUS service and run it in debug mode to see exactly where the handshake fails.

sudo systemctl stop freeradius
sudo freeradius -X

I’ve lost plenty of sleep debugging these handshakes. Usually, the culprit is a mismatched EAP type or a simple firewall rule blocking UDP port 1812. Look for the Sent Access-Accept line; that’s your signal that the port has been unlocked.

Final Thoughts

Implementing port-based access control is a major milestone for network maturity. While it adds a layer of management, it effectively kills the risk of unauthorized physical devices gaining a foothold. Once you’re comfortable with the FreeRADIUS basics, you can integrate it with LDAP or Active Directory, allowing employees to use their standard login to unlock their desks.

Share:
Tags: