Fri Mar 2 02:56:07 UTC 2018
Gordon Messmer <gordon.messmer at gmail.com>

On 03/01/2018 03:06 AM, hw wrote:
>> It is illogical to lump all network access together into a single 
>> category.
> ...
>> If your device can communicate with a switch, even for the purpose of 
>> authenticating, then it has network access.
> The device has access to the switch which, depending on what answer to an
> authentication request it gets from a RADIUS server, decides if and 
> how it
> lets the device access the network.

You're still lumping networks into a single category.

Not "the" network, but "a" network.

Unauthenticated clients are, by definition connected to A network 
consisting of the device and the switch.  They might also be connected 
to a network consisting of the device, a switch, and a TFTP server that 
provides the boot image to the client.  And since there is nothing else 
on that network, other than a read-only TFTP server that your devices 
require in order to boot, it's difficult to understand why you think 
there is a security risk here.

Security is the process of restricting access to a resource to only the 
devices and persons that require it.  If your devices require a boot 
image before they can authenticate, then restricting their access to 
that resource can no longer be described as "security."

>>>> Where do your hypothetical customers in a store get the user 
>>>> credentials that you want to authenticate via RADIUS?
>>> They might get it from employees of the store or read it from signs
>>> inside the store, perhaps depending on what kind of access rights they
>>> are supposed to have.
>> If you're sharing passwords, then you don't need RADIUS.  Set up 
>> separate SSIDs that are attached to VLANs with appropriate access 
>> levels, and continue using WPA2 Personal.  Using RADIUS will be no 
>> more secure than that.  It's not magic.
> Right, but what about keeping track of customers?  Apparently RADIUS 
> has some
> accounting features, and it might be an advantage to use those.

It does, but you will get exactly the same information using WPA2 
Personal that you will from WPA2 Enterprise and RADIUS.  "A client 
connected to the WAP at such and such time.  It disconnected at such and 
such time."

If you're sharing passwords, RADIUS is the most complex way to get the 
information.  You can get the same info by simply logging WAP events to 
a log server.