Hello all. I'm debating a slight network tweak here at home and was hoping to solicit some feedback before I start reconfiguring things.
I've got what is essentially an opaque network device that functions as a VPN endpoint; it connects upstream via IPv4/DHCP and the behind-the-VPN clients authenticate and connect to the endpoint device with 802.1x. There is nothing special about the device other than the fact that I don't control or manage it. As I don't overly trust the device itself, it's upstream connection is on a dedicated, untagged VLAN that is routed through various switches until it hits my router/firewall/etc. and exits out to the world. My behind-the-VPN clients connect to the device over a dedicated physical wire as they are located in the same room. Think WFH setup using an employer provided VPN endpoint device.
Where it becomes somewhat interesting is when I consider relocating the VPN device and optionally allowing access over a dedicated WiFi SSID. Relocating the device should be straight-forward enough, simply create a new behind-the-vpn VLAN and reconfigure switches as necessary. However, allowing access to that behind-the-VPN VLAN over WiFi seems like it might be a challenge. I am not overly excited at the prospect of having the APs act as the 802.1x supplicant to the VPN device (if that is even possible in my setup), I would much rather pass the behind-the-VPN client's 802.1x auth through the APs and have it serviced by the VPN device. Is that possible? Is there some other option that would accomplish the same goal?
To add to the context of the discussion, the WiFi network is being run on Ruckus Unleashed APs with the wired switching run on relatively modern Dell switches. As mentioned previously I'm using pfSense as my core router, firewall, etc. system. Replacing my WiFi or wired switching hardware isn't something I'm interested in doing to make this work, so solutions that start with "If you replace X hardware with Y you can do ..." are a bit of a no-go for me.
Thanks in advance to anyone who can help steer me in the right direction and/or provide some real tips on making this work!
I've got what is essentially an opaque network device that functions as a VPN endpoint; it connects upstream via IPv4/DHCP and the behind-the-VPN clients authenticate and connect to the endpoint device with 802.1x. There is nothing special about the device other than the fact that I don't control or manage it. As I don't overly trust the device itself, it's upstream connection is on a dedicated, untagged VLAN that is routed through various switches until it hits my router/firewall/etc. and exits out to the world. My behind-the-VPN clients connect to the device over a dedicated physical wire as they are located in the same room. Think WFH setup using an employer provided VPN endpoint device.
Where it becomes somewhat interesting is when I consider relocating the VPN device and optionally allowing access over a dedicated WiFi SSID. Relocating the device should be straight-forward enough, simply create a new behind-the-vpn VLAN and reconfigure switches as necessary. However, allowing access to that behind-the-VPN VLAN over WiFi seems like it might be a challenge. I am not overly excited at the prospect of having the APs act as the 802.1x supplicant to the VPN device (if that is even possible in my setup), I would much rather pass the behind-the-VPN client's 802.1x auth through the APs and have it serviced by the VPN device. Is that possible? Is there some other option that would accomplish the same goal?
To add to the context of the discussion, the WiFi network is being run on Ruckus Unleashed APs with the wired switching run on relatively modern Dell switches. As mentioned previously I'm using pfSense as my core router, firewall, etc. system. Replacing my WiFi or wired switching hardware isn't something I'm interested in doing to make this work, so solutions that start with "If you replace X hardware with Y you can do ..." are a bit of a no-go for me.
Thanks in advance to anyone who can help steer me in the right direction and/or provide some real tips on making this work!