Richard Grainger wrote: > On Fri, Feb 23, 2018 at 10:33 AM, hw <hw at gc-24.de> wrote: > >> That would be a problem because clients using PXE-boot require network >> access, >> and it wouldn´t contribute to security if unauthorized clients were allwed >> to >> PXE-boot. > > Two solutions to this: > > 1. Enable "exception by MAC address": only known MAC addresses get put > onto the PXE boot VLAN. Other unauthenticated client goes onto a "no > access" VLAN (many places make this the same VLAN as the guest WiFi > VLAN with internet access only, sometimes with a captive portal). > Authenticated clients go onto the corporate VLAN. > 2. (this can be in addition or instead of 1). The PXE server itself > will only serve known MAC addresses and/or requires a token/password > to initiate the install. Regardless, there's not huge utility to > installing your personal machine with a corporate build from a PXE > server, which you then can't use because you don;t have corporate > credentials, but I suppose it may have some risk with regards to > software licensing or builds containing other stuff you don't want > strangers to access, so lockdowns can't hurt. But MAC addresses can be faked, can´t they?