search

netbox-community / netbox

The premier source of truth powering network automation. Open source under Apache 2. Public demo: https://demo.netbox.dev
http://netboxlabs.com/oss/netbox/
Apache License 2.0
15.72k stars 2.53k forks source link

new Wireless LANs security modes #9321

Closed rfl64 closed 2 years ago

rfl64 commented 2 years ago

NetBox version

v3.2.2

Feature type

Data model extension

Proposed functionality

should be possible add WPA Enterprise security modes like EAP-TLS, PEAP, and so on. thanks https://www.securew2.com/solutions/wpa2-enterprise-and-802-1x-simplified

Use case

Enterprise authentication and encryption methods used in Wireless Lans on Enterprise

Database changes

new items on Auth cipher and certificate or preshared key options.

External dependencies

https://www.securew2.com/solutions/wpa2-enterprise-and-802-1x-simplified

DanSheps commented 2 years ago

What are you proposing to add? I see you linked to a website but we expect a minimum amount of effort to be put into FR's, and in a instance like this, that means you need to at lease provide the additional details without requiring maintainers or volunteers to click through to determine the model.

rfl64 commented 2 years ago

items to add to security modes when Enterprise security is selected would be: EAP-MD-5 EAP-TLS EAP-TTLS EAP-FAST EAP-SIM EAP-AKA LEAP PEAP

they are all different security mechanisms used in Wireless Lans

thanks in advance

DanSheps commented 2 years ago

Yes, but where?

They don't fit with the wireless types (WPA, WPA-Enterprise, etc)

They also don't 100% fit with encryption types.

Also, these typically aren't defined on the controller or AP, but are instead a function of what the supplicant (laptop, desktop, etc) and authenticator (ISE, Clearpass, Packet fence, freeradius, etc) support and are configured for. For example, I can't just turn off TEAP on my AP's.

I think you might actually need something to specifically model your 802.1x/WPA-Enterprise settings beyond the WLAN model

rfl64 commented 2 years ago

I think netbox is an inventory, a source of truth as defined in documentation with information of all related to networks and devices. WLANs are not related to a particular device registered in netbox but is a property, functionality or service on a network. Just like VLANs than are not attached to a single switch.

Of course, APs are network bridges than links two media types (wired and wireless). Point of view used in WLANs and encryption type in netbox does not apply to enterprise networks because in enterprise networks other security types, like described, are used. WPA, WPA2 and WPA3 are home user WLANs and all they share an unique shared key (PSK).

It doesn't matter which device is authenticator (AP/switch), supplicant or authentication server (ISE, NAC, FreeRadius, etc), if netbox wants to hold information about WLANs and its properties, described enterprise security types are needed.

May be just with a listbox with different security types would be enought, without specifiying if using certificates. Also, if using an shared secret for Radius AP authentication, a field for store that shared secret would be appreciated.

In my opinion, netbox is a awesome tool. Thanks for all your work.

DanSheps commented 2 years ago

I think netbox is an inventory, a source of truth as defined in documentation with information of all related to networks and devices. WLANs are not related to a particular device registered in netbox but is a property, functionality or service on a network. Just like VLANs than are not attached to a single switch.

The big difference here is VLANs are attached to a switch. The wireless model replicates what are attached to AP's or stations and not what is configured on the client or server for authentication as that is outside the scope of what the wireless model is intended for.

Of course, APs are network bridges than links two media types (wired and wireless). Point of view used in WLANs and encryption type in netbox does not apply to enterprise networks because in enterprise networks other security types, like described, are used. WPA, WPA2 and WPA3 are home user WLANs and all they share an unique shared key (PSK).

I agree, but there is a "WPA-Enterprise" option in there to cover that.

It doesn't matter which device is authenticator (AP/switch), supplicant or authentication server (ISE, NAC, FreeRadius, etc), if netbox wants to hold information about WLANs and its properties, described enterprise security types are needed.

Again, EAP-*/TEAP/LEAP is not a function of the wlan but of the configuration of the supplicant and authentication server, which is why it is inappropriate to store that information on the wlan model.

May be just with a listbox with different security types would be enought, without specifiying if using certificates. Also, if using an shared secret for Radius AP authentication, a field for store that shared secret would be appreciated.

Again, this doesn't work. Mainly because your radius configuration can be one of the following:

(EAP-TTLS, PEAP-MSCHAPv2, TEAP) or (EAP-TTLS) or (PEAP-MSCHAPv2, TEAP, LEAP) or any number of other combinations.

WLAN is the wrong place to store your authentication server settings for your wireless deployment. We currently don't have a correct place for it, which is why this would likely require a new model and also why that given that this is a niche enough case it likely won't be included in core.

jeremystretch commented 2 years ago

This was covered by working group when we first designed WLAN support, and @DanSheps provides a good summary of why the proposed change is untenable. It's something we could potentially add to NetBox, but as Dan notes this will likely require a new field or model and warrants a deeper discussion.

If you'd like, you're welcome to start a discussion to see if you can collaborate with other NetBox users to come up with a detailed implementation proposal, which can then be submitted as a new FR.