Re: [CentOS] RADIUS

Thu, 01 Mar 2018 18:57:07 -0800 

On 03/01/2018 03:06 AM, hw wrote:



It is illogical to lump all network access together into a single 
category.

...

If your device can communicate with a switch, even for the purpose of 
authenticating, then it has network access.


The device has access to the switch which, depending on what answer to an

authentication request it gets from a RADIUS server, decides if and 
how it

lets the device access the network.


You're still lumping networks into a single category.

Not "the" network, but "a" network.


Unauthenticated clients are, by definition connected to A network 
consisting of the device and the switch.  They might also be connected 
to a network consisting of the device, a switch, and a TFTP server that 
provides the boot image to the client.  And since there is nothing else 
on that network, other than a read-only TFTP server that your devices 
require in order to boot, it's difficult to understand why you think 
there is a security risk here.



Security is the process of restricting access to a resource to only the 
devices and persons that require it.  If your devices require a boot 
image before they can authenticate, then restricting their access to 
that resource can no longer be described as "security."



Where do your hypothetical customers in a store get the user 
credentials that you want to authenticate via RADIUS?


They might get it from employees of the store or read it from signs
inside the store, perhaps depending on what kind of access rights they
are supposed to have.



If you're sharing passwords, then you don't need RADIUS.  Set up 
separate SSIDs that are attached to VLANs with appropriate access 
levels, and continue using WPA2 Personal.  Using RADIUS will be no 
more secure than that.  It's not magic.



Right, but what about keeping track of customers?  Apparently RADIUS 
has some

accounting features, and it might be an advantage to use those.



It does, but you will get exactly the same information using WPA2 
Personal that you will from WPA2 Enterprise and RADIUS.  "A client 
connected to the WAP at such and such time.  It disconnected at such and 
such time."



If you're sharing passwords, RADIUS is the most complex way to get the 
information.  You can get the same info by simply logging WAP events to 
a log server.



_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos





























					Reply via email to