On 02/23/2018 03:22 AM, hw wrote:
I´m not sure how to imagine it. It would be nice if every device
the network, wirelessly or otherwise, had to be authenticated --- and
the device, but also the user(s) using it.
I've never seen anyone actually do this, but there's an article
discussing it. It is noteworthy that this requires enforcement in the
client OS, as well as the switch.
There are devices that are using PXE-boot and require access to the
If I was to allow PXE-boot for unauthenticated devices, the whole
thing would be
pointless because it would defeat any security advantage that could be
requiring all devices and users to be authenticated: Anyone could
bring a device
capable of PXE-booting and get network access.
You don't seem to understand the suggestions you're being given.
An unauthenticated device should be placed on a VLAN with appropriate
access. If you have devices that need to PXE boot before
authenticating, then you should have a VLAN that gives them DHCP
service, DNS, and tftp to boot an OS. That VLAN shouldn't have access
to the protected company resources, and it doesn't have to have Internet
Once the system boots, the users can authenticate themselves, which will
move the device onto a VLAN with access appropriate for an authenticated
Well, I guess I'm confused because having explained where you'd find
the interface in which users will provide their RADIUS username and
password, you think this process is unfeasible. Perhaps you could
explain what you're looking for, more precisely?
As a customer visting a store, would you go to the lengths of
cell phone (or other wireless device) to authenticate with a RADIUS
order to gain internet access through the wirless network of the store?
Where do your hypothetical customers in a store get the user credentials
that you want to authenticate via RADIUS?
I'm not sure I understand the use case you're describing. I'm not sure
you do, either.
CentOS mailing list