Re: RADIUS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Pete Biggs wrote:


https://www.eduroam.org/

I configure wireless once on my device (phone/tablet/laptop) and then can
travel to institutions all round the world and use their networks seamlessly.
How useless and infeasible indeed.

Well, this country

"this country"?

Germany

  is almost the worst of all countries around the world when
it comes to internet access.  Though they list a few locations here where you
supposedly could use their service, I wouldn´t expect anything.  Then there´s
the question of protecting your privacy.  For example, how much do they pay you
for allowing them to keep track of your travels?

I think you've got the wrong idea about eduroam. John Hodrien was just
using it as a real world example of WPA2-enterprise in action.  It's a
private network for academic institutions - it allows members of
Universities around the world to gain access to the wifi at a local
University they are visiting.  It's not a public wifi service.

It isn´t really private, either.

It's a convenience - a very, very convenient convenience. If you don't
want someone tracking where you are, then don't use it. But TBH if you
are visiting another university, then in general your location is
known!

Without wireless, your general location may be known as in "visiting university X";
with wireless, your location is known as in "is currently in room X of building Z".
That is quite a difference, and in either case, what about your privacy?

In any case, it wouldn´t do our customers any good because there aren´t places
all over the world where they could use our network.

Your customers wouldn't be able to use it anyway

If there were places all over the world where they could use our network, they
could.

A client that can't authenticate gets the network it's provided with by being
unauthenticated.  If an unauthenticated client can't have any network access,
that's what they get.  Presumably you could drop an unauthenticated machine
into a different VLAN.

That would be a problem because clients using PXE-boot require network access,
and it wouldn´t contribute to security if unauthorized clients were allwed to
PXE-boot.

So restrict based on MAC address at the PXE boot stage.

MAC addresses could be faked.

The PXE protocol, as far as I can see, has no concept of authorisation
- although its certainly possible to introduce it after PXE has done
its bit (but before imaging or whatever).

You may be better off with authenticating the DHCP using RADIUS, but
it's a complex process which, by its very nature, requires some form of
non-authenticated network access.

So the solution might have to be not to use PXE-boot anymore.  That would
be a pity because it´s so convenient.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux