> > > A prerequisite for PXE is DHCP - by the time your device does anything > > with PXE it's already accessed the network and got an IP address and so > > on. There is absolutely no way to prohibit access to your network > > without first allowing the device some access to your network in order > > to authenticate. The normal way around this is to use VLANs to > > segregate "dirty" unauthenticated machines - once it's authenticated it > > is moved onto a different VLAN and a new DHCP request initiated. > > Suddenly moving the client to a different VLAN would have the same effect as > unplugging the network cable: it would freeze until the connection is restored. > Otherwise, the server would have to be reachable via several VLANs, which would > make it pointless to use these VLANs. It depends on at which point you switch VLANs. If you use authenticated DHCP then the process is to get an IP address on a dirty VLAN, authenticate, switch VLAN, get a new IP address, boot to PXE. There are extensions in the DHCP protocol to accommodate this. It's also possible that the PXE environment can deal with the authentication - PXE runs solely on the local machine, so it doesn't care about VLANs changing so long as when it wants to do something it has a valid IP address for the VLAN it is assigned to. And at this point, I think this is no longer CentOS related. If you can't find out what you need on the net, you need to hire a network consultant to deal with it. Asking a zillion random questions on a mailing list just because you can't find or understand the information elsewhere and fighting against the answers you are given is not very productive for anyone. P.