Richard Grainger wrote:
On Fri, Feb 23, 2018 at 10:33 AM, hw <hw@xxxxxxxx> wrote:
That would be a problem because clients using PXE-boot require network
access,
and it wouldn´t contribute to security if unauthorized clients were allwed
to
PXE-boot.
Two solutions to this:
1. Enable "exception by MAC address": only known MAC addresses get put
onto the PXE boot VLAN. Other unauthenticated client goes onto a "no
access" VLAN (many places make this the same VLAN as the guest WiFi
VLAN with internet access only, sometimes with a captive portal).
Authenticated clients go onto the corporate VLAN.
2. (this can be in addition or instead of 1). The PXE server itself
will only serve known MAC addresses and/or requires a token/password
to initiate the install. Regardless, there's not huge utility to
installing your personal machine with a corporate build from a PXE
server, which you then can't use because you don;t have corporate
credentials, but I suppose it may have some risk with regards to
software licensing or builds containing other stuff you don't want
strangers to access, so lockdowns can't hurt.
But MAC addresses can be faked, can´t they?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
