[CentOS] RADIUS

Fri Feb 23 12:02:53 UTC 2018
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Fri, 23 Feb 2018, hw wrote:

> There are devices that are using PXE-boot and require access to the company
> LAN.  If I was to allow PXE-boot for unauthenticated devices, the whole
> thing would be pointless because it would defeat any security advantage that
> could be gained by requiring all devices and users to be authenticated:
> Anyone could bring a device capable of PXE-booting and get network access.

I'd hope that you could involve TPM in this game.  PXE to unauthenticated
VLAN, boot an OS that could then use TPM to pull out a credential to
authenticate to the network and switch to another VLAN.

> As a customer visting a store, would you go to the lengths of configuring
> your cell phone (or other wireless device) to authenticate with a RADIUS
> server in order to gain internet access through the wirless network of the
> store?

No, I'd never offer wireless network access this way.  Typically, you either
offer it unauthenticated, or you provide it via a captive web portal.

jh