[CentOS] RADIUS

Tue Feb 27 16:21:31 UTC 2018
hw <hw at gc-24.de>

Gordon Messmer wrote:
> On 02/23/2018 03:22 AM, hw wrote:
>> I´m not sure how to imagine it.  It would be nice if every device connecting to
>> the network, wirelessly or otherwise, had to be authenticated --- and not only
>> the device, but also the user(s) using it.
> 
> https://www.networkworld.com/article/2940463/it-skills-training/machine-authentication-and-user-authentication.html
> 
> I've never seen anyone actually do this, but there's an article discussing it.  It is noteworthy that this requires enforcement in the client OS, as well as the switch.

The article itself says that what it is describing only works within a
Windoze world.  It doesn´t apply at all here.

>> There are devices that are using PXE-boot and require access to the company LAN.
>> If I was to allow PXE-boot for unauthenticated devices, the whole thing would be
>> pointless because it would defeat any security advantage that could be gained by
>> requiring all devices and users to be authenticated: Anyone could bring a device
>> capable of PXE-booting and get network access.
> 
> You don't seem to understand the suggestions you're being given.
> 
> An unauthenticated device should be placed on a VLAN with appropriate access.  If you have devices that need to PXE boot before authenticating, then you should have a VLAN that gives them DHCP service, DNS, and tftp to boot an OS.  That VLAN shouldn't have access to the protected company resources, and it doesn't have to have Internet access either.

I understand that it is suggested that I should give all unauthorized devices
network access (so that they can PXE boot or whatever), which is what I
don´t want to do.

IIUC, when using RADIUS, devices can be denied network access before they
get any because the switch or wirless access point the devices use to get
network access negotiates access rights for the devices on behalf of the
devices with the RADIUS server rather than that the devices are given
network access to negotiate thier access rights themselves.  That´s supposed
to provide better security, and it makes sense to me.

Hence allowing unauthorized devices network access (to PXE boot and then to
negotiate further access rights --- or whatever) doesn´t make any sense.

I also understand that it may be possible that there is a variety of PXE boot
which addresses this problem by allowing devices to authenticate before they
boot.  However, some of the devices in question are likely to old to support
this.

> Once the system boots, the users can authenticate themselves, which will move the device onto a VLAN with access appropriate for an authenticated user.

Like I said in other posts, that´s probably not possible because when you
cut the clients off from access to the server they booted from by moving them
into a different VLAN, they will simply freeze until the connection is restored.

>>> Well, I guess I'm confused because having explained where you'd find the interface in which users will provide their RADIUS username and password, you think this process is unfeasible.  Perhaps you could explain what you're looking for, more precisely?
>>
>> As a customer visting a store, would you go to the lengths of configuring your
>> cell phone (or other wireless device) to authenticate with a RADIUS server in
>> order to gain internet access through the wirless network of the store?
> 
> Where do your hypothetical customers in a store get the user credentials that you want to authenticate via RADIUS?

They might get it from employees of the store or read it from signs
inside the store, perhaps depending on what kind of access rights they
are supposed to have.

> I'm not sure I understand the use case you're describing.  I'm not sure you do, either.

Right --- that´s why I was asking for documentation about how RADIUS can
be actually used rather than documentation only saying that it can be used
but not how.  You can´t very well design a use case for a particular software
when you do not know what the software is capable of and if it is applicable
at all, and you can not very well design the use case when you don´t even know
if what you might want is possible.  Yet you need to start somewhere to get
somewhere.

Imagine you want to ride a horse and don´t know anything about horses.  You
look for documentation about horses, and the only documentations you can find
are telling you that horses exist, how to get one and that they can be used for
riding.  How helpful is that?

I´m merely asking how to ride the darn horses.  Perhaps I´m better off with a
car, but I can´t tell before I know how to ride horses.