On 02/23/2018 03:22 AM, hw wrote:
I´m not sure how to imagine it.  It would be nice if every device connecting to the network, wirelessly or otherwise, had to be authenticated --- and not only
the device, but also the user(s) using it.


I've never seen anyone actually do this, but there's an article discussing it.  It is noteworthy that this requires enforcement in the client OS, as well as the switch.

There are devices that are using PXE-boot and require access to the company LAN. If I was to allow PXE-boot for unauthenticated devices, the whole thing would be pointless because it would defeat any security advantage that could be gained by requiring all devices and users to be authenticated: Anyone could bring a device
capable of PXE-booting and get network access.

You don't seem to understand the suggestions you're being given.

An unauthenticated device should be placed on a VLAN with appropriate access.  If you have devices that need to PXE boot before authenticating, then you should have a VLAN that gives them DHCP service, DNS, and tftp to boot an OS.  That VLAN shouldn't have access to the protected company resources, and it doesn't have to have Internet access either.

Once the system boots, the users can authenticate themselves, which will move the device onto a VLAN with access appropriate for an authenticated user.

Well, I guess I'm confused because having explained where you'd find the interface in which users will provide their RADIUS username and password, you think this process is unfeasible.  Perhaps you could explain what you're looking for, more precisely?

As a customer visting a store, would you go to the lengths of configuring your cell phone (or other wireless device) to authenticate with a RADIUS server in
order to gain internet access through the wirless network of the store?

Where do your hypothetical customers in a store get the user credentials that you want to authenticate via RADIUS?

I'm not sure I understand the use case you're describing.  I'm not sure you do, either.

CentOS mailing list

Reply via email to