Pete Biggs wrote:

MAC addresses could be faked.

The PXE protocol, as far as I can see, has no concept of authorisation
- although its certainly possible to introduce it after PXE has done
its bit (but before imaging or whatever).

You may be better off with authenticating the DHCP using RADIUS, but
it's a complex process which, by its very nature, requires some form of
non-authenticated network access.

So the solution might have to be not to use PXE-boot anymore.  That would
be a pity because it´s so convenient.

PXE booting is nothing to do with installing or imaging machines. That
process is done *after* PXE booting. All the PXE does is to tell the
ethernet chip where to retrieve the PXE information from and what to
retrieve, which is then downloaded by TFTP.

I know, and it´s still convenient.

A prerequisite for PXE is DHCP - by the time your device does anything
with PXE it's already accessed the network and got an IP address and so
on. There is absolutely no way to prohibit access to your network
without first allowing the device some access to your network in order
to authenticate. The normal way around this is to use VLANs to
segregate "dirty" unauthenticated machines - once it's authenticated it
is moved onto a different VLAN and a new DHCP request initiated.

Suddenly moving the client to a different VLAN would have the same effect as
unplugging the network cable:  it would freeze until the connection is restored.
Otherwise, the server would have to be reachable via several VLANs, which would
make it pointless to use these VLANs.

There's lots of information on this on the net - Google for something
like 'PXE RADIUS' or 'PXE 802.1x' (hint: everyone uses VLANs).

CentOS mailing list

Reply via email to