Re: [CentOS] RADIUS

2018-02-23 Thread Gordon Messmer
On 02/23/2018 03:22 AM, hw wrote: I´m not sure how to imagine it.  It would be nice if every device connecting to the network, wirelessly or otherwise, had to be authenticated --- and not only the device, but also the user(s) using it.

Re: [CentOS] Network broke for a while when libvirtd start

2018-02-23 Thread Genghuang Wang
Hello > When start service libvirtd by > > service libvirtd start > > OS: CentOS 6.5 > libvirt: libvirt-daemon-1.2.5-1.mira1.x86_64 https://www.redhat.com/mailman/listinfo/libvirt-users is the official mailing list for the libvirt daemon, maybe you can ask in there and get better support.

[CentOS] Network broke for a while when libvirtd start

2018-02-23 Thread wuzhouhui
When start service libvirtd by service libvirtd start the network will broke for a while and then reconnected. Following is /var/log/messages: Feb 24 13:28:51 node-0 kernel: lo: Dropping TSO features since no CSUM feature. Feb 24 13:28:51 node-0 kernel: lo: Disabled Privacy Extensions Feb

Re: [CentOS] a few simple questions about upgrading an "official" centos 7 release

2018-02-23 Thread liza
> On Feb 22, 2018, at 9:34 AM, hw wrote: > > Robert P. J. Day wrote: >> On Thu, 22 Feb 2018, hw wrote: >>> >>> The students you need to teach things like this are the ones that >>> will never become good admins. >> uh, that's kind of a condescending attitude to take towards

Re: [CentOS] RADIUS

2018-02-23 Thread hw
Pete Biggs wrote: A prerequisite for PXE is DHCP - by the time your device does anything with PXE it's already accessed the network and got an IP address and so on. There is absolutely no way to prohibit access to your network without first allowing the device some access to your network in

[CentOS-virt] Kimchi and noVNC

2018-02-23 Thread Jean-Marc Liger
Hi, I've rebuild Kimchi/Wok 2.5.0 based on ClearOS packages. I've also upgraded noVNC 1.0.0. Unfortunatly the QEMUExtendedKeyEvent which fixes French keyboard's detection doesn't work for me at the moment. But maybe, the problem is located in my QEMU 2.11.0 implementation. If someone want

Re: [CentOS] RADIUS

2018-02-23 Thread Pete Biggs
> > > A prerequisite for PXE is DHCP - by the time your device does anything > > with PXE it's already accessed the network and got an IP address and so > > on. There is absolutely no way to prohibit access to your network > > without first allowing the device some access to your network in

Re: [CentOS] RADIUS

2018-02-23 Thread hw
Pete Biggs wrote: Yes, I do it frequently with my phone. You do it once and it remembers it. My phone is more often on wifi than on 4G when I'm in a town. And you need to install certificates or enter a password or something? Yes. Just once, then things are remembered and you can seemlessly

Re: [CentOS] RADIUS

2018-02-23 Thread Richard Grainger
On Fri, Feb 23, 2018 at 1:57 PM, hw wrote: > Richard Grainger wrote: >> >> On Fri, Feb 23, 2018 at 12:56 PM, hw wrote: >>> >>> That requires some way to distinguish between customers, and it means >>> that distinguishing between devices is not sufficient for

Re: [CentOS] RADIUS

2018-02-23 Thread hw
Pete Biggs wrote: MAC addresses could be faked. The PXE protocol, as far as I can see, has no concept of authorisation - although its certainly possible to introduce it after PXE has done its bit (but before imaging or whatever). You may be better off with authenticating the DHCP using

Re: [CentOS] RADIUS

2018-02-23 Thread Pete Biggs
> > Yes, I do it frequently with my phone. You do it once and it remembers > > it. My phone is more often on wifi than on 4G when I'm in a town. > > And you need to install certificates or enter a password or something? Yes. Just once, then things are remembered and you can seemlessly roam

Re: [CentOS] RADIUS

2018-02-23 Thread hw
Richard Grainger wrote: On Fri, Feb 23, 2018 at 12:56 PM, hw wrote: That requires some way to distinguish between customers, and it means that distinguishing between devices is not sufficient for registered customers. Once the customer logs into the captive web portal on the

Re: [CentOS] RADIUS

2018-02-23 Thread hw
John Hodrien wrote: On Fri, 23 Feb 2018, hw wrote: There are devices that are using PXE-boot and require access to the company LAN.  If I was to allow PXE-boot for unauthenticated devices, the whole thing would be pointless because it would defeat any security advantage that could be gained by

Re: [CentOS] RADIUS

2018-02-23 Thread hw
Pete Biggs wrote: There are devices that are using PXE-boot and require access to the company LAN. If I was to allow PXE-boot for unauthenticated devices, the whole thing would be pointless because it would defeat any security advantage that could be gained by requiring all devices and users

Re: [CentOS] RADIUS

2018-02-23 Thread Richard Grainger
On Fri, Feb 23, 2018 at 12:56 PM, hw wrote: > That requires some way to distinguish between customers, and it means > that distinguishing between devices is not sufficient for registered > customers. Once the customer logs into the captive web portal on the guest WiFi SSID you

Re: [CentOS] RADIUS

2018-02-23 Thread Pete Biggs
> MAC addresses could be faked. > > > The PXE protocol, as far as I can see, has no concept of authorisation > > - although its certainly possible to introduce it after PXE has done > > its bit (but before imaging or whatever). > > > > You may be better off with authenticating the DHCP using

Re: [CentOS] RADIUS

2018-02-23 Thread hw
Richard Grainger wrote: On Fri, Feb 23, 2018 at 11:22 AM, hw wrote: As a customer visting a store, would you go to the lengths of configuring your cell phone (or other wireless device) to authenticate with a RADIUS server in order to gain internet access through the wirless

Re: [CentOS] RADIUS

2018-02-23 Thread hw
Richard Grainger wrote: On Fri, Feb 23, 2018 at 11:25 AM, hw wrote: But MAC addresses can be faked, can´t they? Yes, someone can go to the trouble of obtaining a known corporate MAC address and MAC-spoofing their personal device so they can PXE-boot a corporate build on a

Re: [CentOS] RADIUS

2018-02-23 Thread hw
Pete Biggs wrote: https://www.eduroam.org/ I configure wireless once on my device (phone/tablet/laptop) and then can travel to institutions all round the world and use their networks seamlessly. How useless and infeasible indeed. Well, this country "this country"? Germany is

Re: [CentOS] RADIUS

2018-02-23 Thread John Hodrien
On Fri, 23 Feb 2018, hw wrote: There are devices that are using PXE-boot and require access to the company LAN. If I was to allow PXE-boot for unauthenticated devices, the whole thing would be pointless because it would defeat any security advantage that could be gained by requiring all

Re: [CentOS] RADIUS

2018-02-23 Thread Pete Biggs
> There are devices that are using PXE-boot and require access to the company > LAN. > If I was to allow PXE-boot for unauthenticated devices, the whole thing would > be > pointless because it would defeat any security advantage that could be gained > by > requiring all devices and users to be

Re: [CentOS] RADIUS

2018-02-23 Thread hw
John Hodrien wrote: On Fri, 23 Feb 2018, hw wrote: That would be a problem because clients using PXE-boot require network access, and it wouldn´t contribute to security if unauthorized clients were allwed to PXE-boot. What problem are you actually trying to solve? There are multiple

Re: [CentOS] RADIUS

2018-02-23 Thread Richard Grainger
On Fri, Feb 23, 2018 at 11:22 AM, hw wrote: > As a customer visting a store, would you go to the lengths of configuring > your > cell phone (or other wireless device) to authenticate with a RADIUS server > in > order to gain internet access through the wirless network of the

Re: [CentOS] RADIUS

2018-02-23 Thread Pete Biggs
> > > https://www.eduroam.org/ > > > > I configure wireless once on my device (phone/tablet/laptop) and then can > > travel to institutions all round the world and use their networks > > seamlessly. > > How useless and infeasible indeed. > > Well, this country "this country"? > is almost

Re: [CentOS] RADIUS

2018-02-23 Thread Richard Grainger
On Fri, Feb 23, 2018 at 11:25 AM, hw wrote: > But MAC addresses can be faked, can´t they? Yes, someone can go to the trouble of obtaining a known corporate MAC address and MAC-spoofing their personal device so they can PXE-boot a corporate build on a VLAN that is otherwise

Re: [CentOS] RADIUS

2018-02-23 Thread hw
Richard Grainger wrote: On Fri, Feb 23, 2018 at 10:33 AM, hw wrote: That would be a problem because clients using PXE-boot require network access, and it wouldn´t contribute to security if unauthorized clients were allwed to PXE-boot. Two solutions to this: 1. Enable

Re: [CentOS] RADIUS

2018-02-23 Thread hw
Gordon Messmer wrote: On 02/22/2018 03:22 AM, hw wrote: Gordon Messmer wrote: Look for documentation on 802.11x authentication for the specific client you want to authenticate. Thanks, I figured it is what I might need to look into.  How about a client that uses PXE boot? Provide PXE

Re: [CentOS] RADIUS

2018-02-23 Thread Richard Grainger
On Fri, Feb 23, 2018 at 10:33 AM, hw wrote: > That would be a problem because clients using PXE-boot require network > access, > and it wouldn´t contribute to security if unauthorized clients were allwed > to > PXE-boot. Two solutions to this: 1. Enable "exception by MAC

Re: [CentOS] RADIUS

2018-02-23 Thread John Hodrien
On Fri, 23 Feb 2018, hw wrote: That would be a problem because clients using PXE-boot require network access, and it wouldn´t contribute to security if unauthorized clients were allwed to PXE-boot. What problem are you actually trying to solve? jh

Re: [CentOS] RADIUS

2018-02-23 Thread hw
John Hodrien wrote: On Thu, 22 Feb 2018, hw wrote: That seems neither useful, nor feasible for customers wanting to use the wireless network we would set up for them with their cell phones.  Are cell phones even capable of this kind of authentication? Yes, entirely capable.  WPA2-Enterprise

Re: [CentOS] Does Huawei break the license of CentOS?

2018-02-23 Thread Genghuang Wang
Hello I have found the Docker images for the above-mentioned Euler OS. https://github.com/euleros/euleros-docker-images/blob/master/2.2/EulerOS-2.2.tar.xz https://en.wikipedia.org/wiki/Docker_(software) However, after opening it, I find it to be "shared object" files. It is not the source

Re: [CentOS] what is the centos/elrepo policy toward LTS kernels?

2018-02-23 Thread Pete Biggs
> > > i am obviously unclear on the policy used to determine which kernel > > > versions end up in that repository. > > > > > > rday > > > > You want to ask elrepo-related questions on the elrepo mailing list. > > > > But here's the post that would answer your question: > > > >

Re: [CentOS] what is the centos/elrepo policy toward LTS kernels?

2018-02-23 Thread Robert P. J. Day
On Fri, 23 Feb 2018, Akemi Yagi wrote: > On Fri, Feb 23, 2018 at 12:30 AM, Robert P. J. Day > wrote: > > > > i'm sure there's a simple answer to this -- i already understand > > that newer kernels than the ones shipped with the official release > > aren't officially

Re: [CentOS] what is the centos/elrepo policy toward LTS kernels?

2018-02-23 Thread Akemi Yagi
On Fri, Feb 23, 2018 at 12:30 AM, Robert P. J. Day wrote: > > i'm sure there's a simple answer to this -- i already understand > that newer kernels than the ones shipped with the official release > aren't officially supported but there is the elrepo kernel repository >

[CentOS] what is the centos/elrepo policy toward LTS kernels?

2018-02-23 Thread Robert P. J. Day
i'm sure there's a simple answer to this -- i already understand that newer kernels than the ones shipped with the official release aren't officially supported but there is the elrepo kernel repository here: http://elrepo.org/linux/kernel/el7/x86_64/RPMS/ with a mixture of long-term (lt)