[CentOS] RADIUS

Fri Feb 23 13:28:23 UTC 2018
hw <hw at gc-24.de>

Pete Biggs wrote:
> 
>> There are devices that are using PXE-boot and require access to the company LAN.
>> If I was to allow PXE-boot for unauthenticated devices, the whole thing would be
>> pointless because it would defeat any security advantage that could be gained by
>> requiring all devices and users to be authenticated: Anyone could bring a device
>> capable of PXE-booting and get network access.
> 
> So authenticate before imaging. Lots of imaging solutions allow that -
> even the MS WDS does it.

Well, I don´t have an imaging solution and no idea how to do that.

>> As a customer visting a store, would you go to the lengths of configuring your
>> cell phone (or other wireless device) to authenticate with a RADIUS server in
>> order to gain internet access through the wirless network of the store?
> 
> Yes, I do it frequently with my phone.  You do it once and it remembers
> it. My phone is more often on wifi than on 4G when I'm in a town.

And you need to install certificates or enter a password or something?

>>   From what I´m being told, everyone already has internet access with their cell
>> phones from their phone service provider and is apparently happy with that
>> even though the amount of data they can transmit is ridiculously low.  So why
>> would anyone do any configuring and have to worry about protecting ther privacy
>> when and for using the wireless network of a shop they´re visting?
> 
> Because you get faster data rates and in the middle of a big shop you
> don't get a phone signal.

How do you get faster data rates?  In a shop that even has a 100Mbit internet
connection and 50 customers using it, you would get only 2Mbit.

How do the shops prevent you from getting a phone signal?

>> I have no idea what the lengths of configuring might be other than that anything
>> you try to do with a cell phone or a tablet is so extremely painful or outright
>> impossible that I only touch them when I get paid for it.  Perhaps RADIUS
>> authentication is easy with such devices.
> 
> In general the user knows nothing about RADIUS - you are presented with
> a username/password box when you first connect to the wifi and that is
> it.

Those are particularly painful to enter, but I guess it could be used
for some customers.

>>>> I´m not using gnome; I recently tried it, and it´s totally bloated,
>>>> yet doesn´t even have a usable window manager.
>>>
>>> OK.  I'm not sure how your opinion of GNOME is really relevant.
>>> I'm describing it because it's an example that's probably within
>>> reach for both you and me, given that you and I are communicating
>>> via a GNU/Linux focused mailing list.
>>>
>>> I'm sorry my voluntary attempt to help you out wasn't to your liking.
>>
>> Don´t be sorry, there´s nothing wrong with your help, and I appreciate it.
>>
>> Just keep in mind when you say that the opinions of users of software X are
>> irrelevant, software X itself is as irrelevant as the opinions.
> 
> Exactly. "Software X" was an example of how it could be done.  It
> doesn't matter what your opinions are about it. Other software is
> available. You seem to be taking the examples that people give you as
> the only possible way of doing things.
> 
> RADIUS is a very mature technology and as such there are lots of ways
> of using it.

Well, I don´t know about any of this.  I found out that RADIUS is probably
what I could or should use to get things working as intended, so I tried to
find documentation on /how/ to use it and found nothing but documentation which
says that it could be used, which I already know.

So I tried it to a limited extend and found that it could and probably should be
used.