Zero Trust assumes the network is hostile, even internal traffic can't be trusted without verification. Every connection must be authenticated, authorized, and encrypted. IPSec (Internet Protocol Security) is a key enabler. In this article, I'll implement IPSec in a Domain with certificates using the Microsoft Platform Crypto Provider is the Key Storage Provider (KSP) that allows certificates and their private keys to be stored in the TPM.

Let's set up 802.1X authentication on the pfSense 4200 using FreeRADIUS and a Windows Certificate Authority (CA) as part of Zero Trust.

This post outlines how to build a segmented, secure network using pfSense on a Netgate 4200, a budget-friendly managed switch, and VLANs with point-to-point firewall rules. The objective is to use 802.1Q VLAN tagging to create isolated network zones and enforce access control with pfSense’s built-in firewall.