On Fri, Feb 23, 2018 at 10:33 AM, hw <hw@xxxxxxxx> wrote:
> That would be a problem because clients using PXE-boot require network
> access,
> and it wouldn´t contribute to security if unauthorized clients were allwed
> to
> PXE-boot.
Two solutions to this:
1. Enable "exception by MAC address": only known MAC addresses get put
onto the PXE boot VLAN. Other unauthenticated client goes onto a "no
access" VLAN (many places make this the same VLAN as the guest WiFi
VLAN with internet access only, sometimes with a captive portal).
Authenticated clients go onto the corporate VLAN.
2. (this can be in addition or instead of 1). The PXE server itself
will only serve known MAC addresses and/or requires a token/password
to initiate the install. Regardless, there's not huge utility to
installing your personal machine with a corporate build from a PXE
server, which you then can't use because you don;t have corporate
credentials, but I suppose it may have some risk with regards to
software licensing or builds containing other stuff you don't want
strangers to access, so lockdowns can't hurt.
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
