[CentOS] RADIUS

Fri Feb 23 10:47:57 UTC 2018
Richard Grainger <grainger at gmail.com>

On Fri, Feb 23, 2018 at 10:33 AM, hw <hw at gc-24.de> wrote:

> That would be a problem because clients using PXE-boot require network
> access,
> and it wouldn´t contribute to security if unauthorized clients were allwed
> to
> PXE-boot.

Two solutions to this:

1. Enable "exception by MAC address": only known MAC addresses get put
onto the PXE boot VLAN. Other unauthenticated client goes onto a "no
access" VLAN (many places make this the same VLAN as the guest WiFi
VLAN with internet access only, sometimes with a captive portal).
Authenticated clients go onto the corporate VLAN.
2. (this can be in addition or instead of 1).  The PXE server itself
will only serve known MAC addresses and/or requires a token/password
to initiate the install.  Regardless, there's not huge utility to
installing your personal machine with a corporate build from a PXE
server, which you then can't use because you don;t have corporate
credentials, but I suppose it may have some risk with regards to
software licensing or builds containing other stuff you don't want
strangers to access, so lockdowns can't hurt.

> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos