On Fri, 23 Feb 2018, hw wrote: > There are devices that are using PXE-boot and require access to the company > LAN. If I was to allow PXE-boot for unauthenticated devices, the whole > thing would be pointless because it would defeat any security advantage that > could be gained by requiring all devices and users to be authenticated: > Anyone could bring a device capable of PXE-booting and get network access. I'd hope that you could involve TPM in this game. PXE to unauthenticated VLAN, boot an OS that could then use TPM to pull out a credential to authenticate to the network and switch to another VLAN. > As a customer visting a store, would you go to the lengths of configuring > your cell phone (or other wireless device) to authenticate with a RADIUS > server in order to gain internet access through the wirless network of the > store? No, I'd never offer wireless network access this way. Typically, you either offer it unauthenticated, or you provide it via a captive web portal. jh