[CentOS] RADIUS

hw hw at gc-24.de
Fri Feb 23 11:25:17 UTC 2018


Richard Grainger wrote:
> On Fri, Feb 23, 2018 at 10:33 AM, hw <hw at gc-24.de> wrote:
> 
>> That would be a problem because clients using PXE-boot require network
>> access,
>> and it wouldn´t contribute to security if unauthorized clients were allwed
>> to
>> PXE-boot.
> 
> Two solutions to this:
> 
> 1. Enable "exception by MAC address": only known MAC addresses get put
> onto the PXE boot VLAN. Other unauthenticated client goes onto a "no
> access" VLAN (many places make this the same VLAN as the guest WiFi
> VLAN with internet access only, sometimes with a captive portal).
> Authenticated clients go onto the corporate VLAN.
> 2. (this can be in addition or instead of 1).  The PXE server itself
> will only serve known MAC addresses and/or requires a token/password
> to initiate the install.  Regardless, there's not huge utility to
> installing your personal machine with a corporate build from a PXE
> server, which you then can't use because you don;t have corporate
> credentials, but I suppose it may have some risk with regards to
> software licensing or builds containing other stuff you don't want
> strangers to access, so lockdowns can't hurt.

But MAC addresses can be faked, can´t they?



More information about the CentOS mailing list