John Hodrien wrote:
On Fri, 23 Feb 2018, hw wrote:
There are devices that are using PXE-boot and require access to the company
LAN. If I was to allow PXE-boot for unauthenticated devices, the whole
thing would be pointless because it would defeat any security advantage that
could be gained by requiring all devices and users to be authenticated:
Anyone could bring a device capable of PXE-booting and get network access.
I'd hope that you could involve TPM in this game. PXE to unauthenticated
VLAN, boot an OS that could then use TPM to pull out a credential to
authenticate to the network and switch to another VLAN.
Besides that I have no idea how to do this: When switching over to a different
VLAN, access to the server the client has booted from would go away, and the
client would freeze until the connection is back. It would be the same effect
as unplugging the network cable.
Those clients are x2go clients, and they boot from the same VM the users work on
via these clients. I don´t think the clients will continue to work when pulling
the connection to the boot device while leaving them connected to the x2go server,
and it would require the x2go server to be reachable via a VLAN that provides
unauthenticated access.
I never used TPM. Apparently it requires machines supporting it because some
have an entry in their BIOS for it, and you need some sort of unknown hardware
module nobody has.
As a customer visting a store, would you go to the lengths of configuring
your cell phone (or other wireless device) to authenticate with a RADIUS
server in order to gain internet access through the wirless network of the
store?
No, I'd never offer wireless network access this way. Typically, you either
offer it unauthenticated, or you provide it via a captive web portal.
Would you consider a captive portal as user friendly?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos