[CentOS] RADIUS

Fri Feb 23 10:33:08 UTC 2018
hw <hw at gc-24.de>

John Hodrien wrote:
> On Thu, 22 Feb 2018, hw wrote:
> 
>> That seems neither useful, nor feasible for customers wanting to use the
>> wireless network we would set up for them with their cell phones.  Are cell
>> phones even capable of this kind of authentication?
> 
> Yes, entirely capable.  WPA2-Enterprise isn't some freakish and unusual
> solution.

Ok, so it would at least be possible.

> https://www.eduroam.org/
> 
> I configure wireless once on my device (phone/tablet/laptop) and then can
> travel to institutions all round the world and use their networks seamlessly.
> How useless and infeasible indeed.

Well, this country is almost the worst of all countries around the world when
it comes to internet access.  Though they list a few locations here where you
supposedly could use their service, I wouldn´t expect anything.  Then there´s
the question of protecting your privacy.  For example, how much do they pay you
for allowing them to keep track of your travels?

In any case, it wouldn´t do our customers any good because there aren´t places
all over the world where they could use our network.

>> Anyway, there are some clients that can probably authenticate, which leaves
>> the ones that use PXE boot.  I tried things out with a switch, and it would
>> basically work.  If it makes sense to go any further with this and how now
>> needs to be determined ...
> 
> A client that can't authenticate gets the network it's provided with by being
> unauthenticated.  If an unauthenticated client can't have any network access,
> that's what they get.  Presumably you could drop an unauthenticated machine
> into a different VLAN.

That would be a problem because clients using PXE-boot require network access,
and it wouldn´t contribute to security if unauthorized clients were allwed to
PXE-boot.