On 02/27/2018 08:21 AM, hw wrote:
Gordon Messmer wrote:
I've never seen anyone actually do this, but there's an article
discussing it. It is noteworthy that this requires enforcement in
the client OS, as well as the switch.
The article itself says that what it is describing only works within a
Windoze world.
That's what I said.
(Also, "Windoze"? Can we at least pretend to be a community of
professionals?)
I understand that it is suggested that I should give all unauthorized
devices
network access (so that they can PXE boot or whatever), which is what I
don´t want to do.
It is illogical to lump all network access together into a single category.
If your device can communicate with a switch, even for the purpose of
authenticating, then it has network access.
A device cannot authenticate if the processor is idle. The processor
needs software in order to authenticate. If that software resides on an
TFTP server, rather than a locally attached storage device, then the
device needs limited network access to retrieve the software (after
which it runs the software, authenticates the user or the device, and
receives greater levels of network access.)
Providing a VLAN on which there are no private resources, and no
Internet access, may be a required component if you have devices that
boot via PXE. Honestly, people are trying to help you, but you are
placing logically contradictory requirements on the project.
I also understand that it may be possible that there is a variety of
PXE boot
which addresses this problem by allowing devices to authenticate
before they
boot. However, some of the devices in question are likely to old to
support
this.
The device needs to have software adequate to authenticate itself or its
user. It's logically possible to run software from some local storage,
authenticate, retrieve a new software image from PXE, and then chainload
that. If you don't have a device that does that, specifically, then you
need to provide a VLAN that supports the devices you DO have.
Where do your hypothetical customers in a store get the user
credentials that you want to authenticate via RADIUS?
They might get it from employees of the store or read it from signs
inside the store, perhaps depending on what kind of access rights they
are supposed to have.
If you're sharing passwords, then you don't need RADIUS. Set up
separate SSIDs that are attached to VLANs with appropriate access
levels, and continue using WPA2 Personal. Using RADIUS will be no more
secure than that. It's not magic.
Imagine you want to ride a horse and don´t know anything about horses.
You
look for documentation about horses, and the only documentations you
can find
are telling you that horses exist, how to get one and that they can be
used for
riding. How helpful is that?
Imagine that someone is trying to help you learn to ride horses, and you
spend all of your time complaining that you think animals are dirty.
How helpful is that?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
