[CentOS] RADIUS

hw hw at gc-24.de
Fri Feb 23 13:55:42 UTC 2018


John Hodrien wrote:
> On Fri, 23 Feb 2018, hw wrote:
> 
>> There are devices that are using PXE-boot and require access to the company
>> LAN.  If I was to allow PXE-boot for unauthenticated devices, the whole
>> thing would be pointless because it would defeat any security advantage that
>> could be gained by requiring all devices and users to be authenticated:
>> Anyone could bring a device capable of PXE-booting and get network access.
> 
> I'd hope that you could involve TPM in this game.  PXE to unauthenticated
> VLAN, boot an OS that could then use TPM to pull out a credential to
> authenticate to the network and switch to another VLAN.

Besides that I have no idea how to do this:  When switching over to a different
VLAN, access to the server the client has booted from would go away, and the
client would freeze until the connection is back.  It would be the same effect
as unplugging the network cable.

Those clients are x2go clients, and they boot from the same VM the users work on
via these clients.  I don´t think the clients will continue to work when pulling
the connection to the boot device while leaving them connected to the x2go server,
and it would require the x2go server to be reachable via a VLAN that provides
unauthenticated access.

I never used TPM.  Apparently it requires machines supporting it because some
have an entry in their BIOS for it, and you need some sort of unknown hardware
module nobody has.

>> As a customer visting a store, would you go to the lengths of configuring
>> your cell phone (or other wireless device) to authenticate with a RADIUS
>> server in order to gain internet access through the wirless network of the
>> store?
> 
> No, I'd never offer wireless network access this way.  Typically, you either
> offer it unauthenticated, or you provide it via a captive web portal.

Would you consider a captive portal as user friendly?



More information about the CentOS mailing list