[CentOS] RADIUS

[hw]

Pete Biggs wrote:
> 
>> MAC addresses could be faked.
>>
>>> The PXE protocol, as far as I can see, has no concept of authorisation
>>> - although its certainly possible to introduce it after PXE has done
>>> its bit (but before imaging or whatever).
>>>
>>> You may be better off with authenticating the DHCP using RADIUS, but
>>> it's a complex process which, by its very nature, requires some form of
>>> non-authenticated network access.
>>
>> So the solution might have to be not to use PXE-boot anymore.  That would
>> be a pity because it´s so convenient.
>>
> 
> PXE booting is nothing to do with installing or imaging machines. That
> process is done *after* PXE booting. All the PXE does is to tell the
> ethernet chip where to retrieve the PXE information from and what to
> retrieve, which is then downloaded by TFTP.

I know, and it´s still convenient.

> A prerequisite for PXE is DHCP - by the time your device does anything
> with PXE it's already accessed the network and got an IP address and so
> on. There is absolutely no way to prohibit access to your network
> without first allowing the device some access to your network in order
> to authenticate. The normal way around this is to use VLANs to
> segregate "dirty" unauthenticated machines - once it's authenticated it
> is moved onto a different VLAN and a new DHCP request initiated.

Suddenly moving the client to a different VLAN would have the same effect as
unplugging the network cable:  it would freeze until the connection is restored.
Otherwise, the server would have to be reachable via several VLANs, which would
make it pointless to use these VLANs.

> There's lots of information on this on the net - Google for something
> like 'PXE RADIUS' or 'PXE 802.1x' (hint: everyone uses VLANs).

Ok.