Wednesday, 28 January 2026

FreeRADIUS with EAP-TLS and VLANs in a Home Wi-Fi Network

In this project, I implemented FreeRADIUS with EAP-TLS authentication and dynamic VLAN assignment in my home Wi-Fi network.The goal was to increase security and learn how enterprise-level Wi-Fi authentication works in practice.

This solution is commonly used in companies, universities, and secure environments, but it can also be used at home.


Network Environment and Used Hardware

Below I present only the essential information needed to understand the network design and how FreeRADIUS with EAP-TLS fits into the overall architecture.

Used Hardware and Systems

The network is built using a mix of enterprise-grade and home-lab hardware, which allows realistic testing of advanced security features.

Firewall

  • pfSense installed on a custom mini-PC
  • Acts as the main firewall and router

RADIUS and Management Server

  • Dell Wyse 5070 mini-PC
  • Operating system: Debian Linux
  • Services running:

          FreeRADIUS (EAP-TLS authentication)

          UniFi Controller, migrated to UniFi OS Server

Network Devices

  • Ubiquiti UniFi US-8-60W switch
  • Ubiquiti UniFi UAP-AC-PRO access point

Network Segmentation and VLANs

The network is fully segmented using VLANs to separate traffic and improve security.

The VLAN 40 is dynamically assigned by FreeRADIUS after successful EAP-TLS authentication.

Network Design Philosophy

The main idea behind this design is:
  • strong authentication instead of shared passwords
  • clear separation of devices and users
  • minimal trust between network segments
Each device is placed into the correct VLAN automatically, based on its identity, not its location.

Why This Design Works Well
  • Central authentication with FreeRADIUS
  • Strong encryption using TLS certificates
  • Dynamic VLAN assignment
  • Easy scalability for new devices
  • Clear security boundaries between networks
This approach reflects real enterprise network architecture, adapted for a home environment.

Posted by at

Monday, 9 September 2024

Monitoring Windows and Active Directory using Wazuh and Zabbix

Wazuh is a great tool for security monitoring (SIEM). Thanks to it, I have a centralized environment that takes care of threat detection, file integrity monitoring, log analysis, vulnerability detection and malware identification.
Zabbix, on the other hand, complements Wazuh. While Wazuh focuses mainly on security, monitoring what's happening from a security perspective on our devices, Zabbix is useful for more administrative tasks. With Zabbix, we can check if anything is happening, if the disks are filling up, if the server temperatures are rising, and so on. From an administrative point of view, it allows us to check everything in one place and keep it handy. Not many people know that Zabbix is also great for security. It can check logs for failed login attempts or changes in files, for example.

 


















Posted by at

Thursday, 22 February 2024

Zabbix as a real-time monitoring of IT components and services

Now it's time for Zabbix... The difficulty of learning Zabbix depends on the knowledge of IT infrastructure monitoring concepts, experience with similar tools and general technical knowledge.

The project I am working on "Zabbix Architect - Network and Server Monitoring" showcases not only my skills with Zabbix software but also the extensive IT knowledge I have gained so far. It is based on my current home lab setup as well as cloud services. This project might take some time as I keep coming up with new ideas that I want to include. Below is the current architecture (which may change) and part of the work already completed.

The project looks like this:
Installation: Zabbix server, Zabbix proxy, database, high-availability cluster, load balancing, VRRP.
Ansible: deploying and adding agents, securing and optimizing Zabbix.
Monitoring: Windows and Linux, logs and events, services, Docker, agentless monitoring, SNMP, iDRAC, web applications, SSL certificates, SELinux, network devices, new unwanted devices, hypervisors, databases, mail server, backups, NVR/IP cameras.
Integration: Active Directory, ticketing system, Grafana.

 

Here are good practices for setting up and maintaining Zabbix:

1. Planning: Before you set up Zabbix, it's important to plan how the system will work. You should decide how many servers, proxies, and agents you need, and how you will organize your network and save data.

2. Scaling: Zabbix should be able to grow as your organization grows. This means making sure the server and database work well, adding proxies for monitoring in different locations, and using load balancing if necessary.

3. Database: The Zabbix database needs to be set up and maintained properly. This includes adjusting settings and making regular backups to keep everything running smoothly.

4. Security: To keep the system secure, you should encrypt communication between Zabbix components, limit access to the Zabbix interface, and update Zabbix regularly to fix security issues.

5. Refresh Time: Adjust how often Zabbix checks items and triggers to find a balance between detailed monitoring and system performance.

6. Use of Templates: Use or create templates to make setting up hosts and services easier and faster.

7. Alerts and Notifications: Set up alerts to inform the right people about important problems. Don't send too many alerts—just the important ones. Create rules for how alerts are handled, set limits for when alerts are triggered, and use different ways to notify people (like email, SMS, or chat apps).

8. Monitor Monitoring: Regularly check how well Zabbix itself is working. This includes looking at how much server and database resources are used, checking for failed data collection, and making sure the system is highly available and has backups where needed.








 
 




































Posted by at
Subscribe to: Comments (Atom)