[CentOS] RADIUS

Tue Feb 27 21:03:27 UTC 2018
Gordon Messmer <gordon.messmer at gmail.com>

On 02/27/2018 08:21 AM, hw wrote:
> Gordon Messmer wrote:
>> I've never seen anyone actually do this, but there's an article 
>> discussing it.  It is noteworthy that this requires enforcement in 
>> the client OS, as well as the switch.
>
> The article itself says that what it is describing only works within a
> Windoze world.

That's what I said.

(Also, "Windoze"?  Can we at least pretend to be a community of 
professionals?)

> I understand that it is suggested that I should give all unauthorized 
> devices
> network access (so that they can PXE boot or whatever), which is what I
> don´t want to do.

It is illogical to lump all network access together into a single category.

If your device can communicate with a switch, even for the purpose of 
authenticating, then it has network access.

A device cannot authenticate if the processor is idle.  The processor 
needs software in order to authenticate.  If that software resides on an 
TFTP server, rather than a locally attached storage device, then the 
device needs limited network access to retrieve the software (after 
which it runs the software, authenticates the user or the device, and 
receives greater levels of network access.)

Providing a VLAN on which there are no private resources, and no 
Internet access, may be a required component if you have devices that 
boot via PXE.  Honestly, people are trying to help you, but you are 
placing logically contradictory requirements on the project.

> I also understand that it may be possible that there is a variety of 
> PXE boot
> which addresses this problem by allowing devices to authenticate 
> before they
> boot.  However, some of the devices in question are likely to old to 
> support
> this.

The device needs to have software adequate to authenticate itself or its 
user.  It's logically possible to run software from some local storage, 
authenticate, retrieve a new software image from PXE, and then chainload 
that.  If you don't have a device that does that, specifically, then you 
need to provide a VLAN that supports the devices you DO have.

>> Where do your hypothetical customers in a store get the user 
>> credentials that you want to authenticate via RADIUS?
>
> They might get it from employees of the store or read it from signs
> inside the store, perhaps depending on what kind of access rights they
> are supposed to have.

If you're sharing passwords, then you don't need RADIUS.  Set up 
separate SSIDs that are attached to VLANs with appropriate access 
levels, and continue using WPA2 Personal.  Using RADIUS will be no more 
secure than that.  It's not magic.

> Imagine you want to ride a horse and don´t know anything about horses. 
> You
> look for documentation about horses, and the only documentations you 
> can find
> are telling you that horses exist, how to get one and that they can be 
> used for
> riding.  How helpful is that?

Imagine that someone is trying to help you learn to ride horses, and you 
spend all of your time complaining that you think animals are dirty.  
How helpful is that?