Pete Biggs wrote: > >> MAC addresses could be faked. >> >>> The PXE protocol, as far as I can see, has no concept of authorisation >>> - although its certainly possible to introduce it after PXE has done >>> its bit (but before imaging or whatever). >>> >>> You may be better off with authenticating the DHCP using RADIUS, but >>> it's a complex process which, by its very nature, requires some form of >>> non-authenticated network access. >> >> So the solution might have to be not to use PXE-boot anymore. That would >> be a pity because it´s so convenient. >> > > PXE booting is nothing to do with installing or imaging machines. That > process is done *after* PXE booting. All the PXE does is to tell the > ethernet chip where to retrieve the PXE information from and what to > retrieve, which is then downloaded by TFTP. I know, and it´s still convenient. > A prerequisite for PXE is DHCP - by the time your device does anything > with PXE it's already accessed the network and got an IP address and so > on. There is absolutely no way to prohibit access to your network > without first allowing the device some access to your network in order > to authenticate. The normal way around this is to use VLANs to > segregate "dirty" unauthenticated machines - once it's authenticated it > is moved onto a different VLAN and a new DHCP request initiated. Suddenly moving the client to a different VLAN would have the same effect as unplugging the network cable: it would freeze until the connection is restored. Otherwise, the server would have to be reachable via several VLANs, which would make it pointless to use these VLANs. > There's lots of information on this on the net - Google for something > like 'PXE RADIUS' or 'PXE 802.1x' (hint: everyone uses VLANs). Ok.