> > A prerequisite for PXE is DHCP - by the time your device does anything
> > with PXE it's already accessed the network and got an IP address and so
> > on. There is absolutely no way to prohibit access to your network
> > without first allowing the device some access to your network in order
> > to authenticate. The normal way around this is to use VLANs to
> > segregate "dirty" unauthenticated machines - once it's authenticated it
> > is moved onto a different VLAN and a new DHCP request initiated.
> Suddenly moving the client to a different VLAN would have the same effect as
> unplugging the network cable:  it would freeze until the connection is 
> restored.
> Otherwise, the server would have to be reachable via several VLANs, which 
> would
> make it pointless to use these VLANs.

It depends on at which point you switch VLANs. If you use authenticated
DHCP then the process is to get an IP address on a dirty VLAN,
authenticate, switch VLAN, get a new IP address, boot to PXE.  There
are extensions in the DHCP protocol to accommodate this.

It's also possible that the PXE environment can deal with the
authentication - PXE runs solely on the local machine, so it doesn't
care about VLANs changing so long as when it wants to do something it
has a valid IP address for the VLAN it is assigned to.

And at this point, I think this is no longer CentOS related.  If you
can't find out what you need on the net, you need to hire a network
consultant to deal with it.  Asking a zillion random questions on a
mailing list just because you can't find or understand the information
elsewhere and fighting against the answers you are given is not very
productive for anyone.


CentOS mailing list

Reply via email to