I know this usage scenario but I do not think that NethSecurity is a good candidate for being an ISP firewall.
Absolutely yes, this could be a common scenario. But usually the administrator want the authentication integrated with AD systems, and this configuration has some major security drawbacks.
If someone is interested, check out this: [OpenWrt Wiki] Introduction to 802.1X
By the way, if you want to explore such scenarios, you can install packages directly from OpenWrt repositories: Package repositories | NethSecurity
We can start as we did with NS7: just create an howto, if many users will use it, we can convert it in a official module.
AFAIK, it’s a well known security “Gotcha”, yet due to the ubiquitness of Windows Systems in large Enterprises, it’s still comonnonly used, networks are specially secured against external access by other methods. PEAP-MSCHAPv2 is still one of the most common, and is - under RADIUS only protected with TLS, and only if configured correctly. Nowadays, just not enough, and MSCHAP, even if “v2” is still to much “in the clear”. But it does work reliably!
MS-ID is not well implemented yet for OpenSource RADIUS, AFAIK.
see also
And, yes, for all those asking, RADIUS as a project for Authentification is written All Caps…
The Name comes from: Remote Access Dial In User Service
and it did actually start out as an alternative to MS “Remote Access” Dial-In.
Long time ago, before 2000!
My 2 cents
Andy
A commercial (not neutral), but still good, understandable write up about RADIUS with a lot of valluable Infos…
NS8 has a built, very simple firewall just to open and close ports of services. NethSecurity is the spin-off of NethServer 7: it contains the UTM firewall part .
I think we should clarify this. NethSecurity is not a NethServer 8 module!
It’s another product, “spin-off” looks fun and correct
We don’t miss the UTM part of NS7 thanks to it.
Maybe it’s gonna be an opensense alternative @Andy_Wismer
Following this with interest. Currently evaluating a couple VyOS VM’s for potential OPNsense replacement, for combo home and homeoffice router/firewall replacement. Use multiwan (failover for the homeoffice vlan and load balancing for the home network), adguard home and currently use WireGuard (road warrior home network access). Would this product also adopt OpenWRT’s option to use cake for qos and how about WireGuard?
Evaluating Linux based options for better integration as Proxmox VM’s and more efficient/faster networking using VirtIO network adapters above 1g.
The answer is yes for the first question.
About the second one, wireguard is already present, but for now you have to configure it using the cli.
In the future we have plan to expose it from the UI.
Not in this release. We did some tests with both snort and suricata, but we’re still not fully satisfied with the results. But work is still ongoing.
Threat shield is effective in blocking attacks.
And Netify can generate security alerts.