[CentOS] RADIUS

Fri Feb 23 15:27:00 UTC 2018
hw <hw at gc-24.de>

Pete Biggs wrote:
> 
>>
>>> A prerequisite for PXE is DHCP - by the time your device does anything
>>> with PXE it's already accessed the network and got an IP address and so
>>> on. There is absolutely no way to prohibit access to your network
>>> without first allowing the device some access to your network in order
>>> to authenticate. The normal way around this is to use VLANs to
>>> segregate "dirty" unauthenticated machines - once it's authenticated it
>>> is moved onto a different VLAN and a new DHCP request initiated.
>>
>> Suddenly moving the client to a different VLAN would have the same effect as
>> unplugging the network cable:  it would freeze until the connection is restored.
>> Otherwise, the server would have to be reachable via several VLANs, which would
>> make it pointless to use these VLANs.
> 
> It depends on at which point you switch VLANs. If you use authenticated
> DHCP then the process is to get an IP address on a dirty VLAN,
> authenticate, switch VLAN, get a new IP address, boot to PXE.  There
> are extensions in the DHCP protocol to accommodate this.

Like using MAC addresses?

> It's also possible that the PXE environment can deal with the
> authentication - PXE runs solely on the local machine, so it doesn't
> care about VLANs changing so long as when it wants to do something it
> has a valid IP address for the VLAN it is assigned to.
> 
> And at this point, I think this is no longer CentOS related.  If you
> can't find out what you need on the net, you need to hire a network
> consultant to deal with it.  Asking a zillion random questions on a
> mailing list just because you can't find or understand the information
> elsewhere and fighting against the answers you are given is not very
> productive for anyone.

This hasn´t been Centos related to begin with, and I didn´t ask for a
discussion but only for a pointer to documentation.  My questions are
not random, and perhaps the mailing list should better be closed so
noone can ask anything.