Wed Mar 7 17:48:38 UTC 2018
hw <hw at gc-24.de>

Gordon Messmer wrote:
> On 03/01/2018 03:06 AM, hw wrote:
>>> It is illogical to lump all network access together into a single category.
>> ...
>>> If your device can communicate with a switch, even for the purpose of authenticating, then it has network access.
>> The device has access to the switch which, depending on what answer to an
>> authentication request it gets from a RADIUS server, decides if and how it
>> lets the device access the network.
> You're still lumping networks into a single category.
> Not "the" network, but "a" network.

There is only one network here.

> Unauthenticated clients are, by definition connected to A network consisting of the device and the switch.  They might also be connected to a network consisting of the device, a switch, and a TFTP server that provides the boot image to the client.  And since there is nothing else on that network, other than a read-only TFTP server that your devices require in order to boot, it's difficult to understand why you think there is a security risk here.

Let me quote:

"the RADIUS protocol serves three primary functions:

• Authenticates users or devices before allowing them access to a network"[1]

Why would I give access to a network consisting of an unauthorized device,
a switch and a TFTP server to such device and thereby possibly to an attacker?
Can you guarantee that there is no way for an attacker who can have such a
network connection will not find a way to proceed with an attack?  They can
bring a device that does not PXE boot and is equipped with everything they
might need to perform their attack.

When the only things the devices of attackers can communicate with are switches
or wireless access points which do not give them access to a network (other than
the devices and the switches or access points themselves), it is likely to be more
difficult to perform a sucessful attack than it is when they get access to a wider
network, like one that involves a server.

[1]: http://networkradius.com/doc/FreeRADIUS%20Technical%20Guide.pdf

> Security is the process of restricting access to a resource to only the devices and persons that require it.  If your devices require a boot image before they can authenticate, then restricting their access to that resource can no longer be described as "security."

That´s kinda what I said.

>>>>> Where do your hypothetical customers in a store get the user credentials that you want to authenticate via RADIUS?
>>>> They might get it from employees of the store or read it from signs
>>>> inside the store, perhaps depending on what kind of access rights they
>>>> are supposed to have.
>>> If you're sharing passwords, then you don't need RADIUS.  Set up separate SSIDs that are attached to VLANs with appropriate access levels, and continue using WPA2 Personal.  Using RADIUS will be no more secure than that.  It's not magic.
>> Right, but what about keeping track of customers?  Apparently RADIUS has some
>> accounting features, and it might be an advantage to use those.
> It does, but you will get exactly the same information using WPA2 Personal that you will from WPA2 Enterprise and RADIUS.  "A client connected to the WAP at such and such time.  It disconnected at such and such time."

It might be possible to find out how much data was transferred with accounting.

> If you're sharing passwords, RADIUS is the most complex way to get the information.  You can get the same info by simply logging WAP events to a log server.

Yes, it´s very simple to use the same password on all phones of employees and no
password on the wireless for customers.  Logging the events might be enough then.

Somehow that doesn´t feel like it is a good solution, but I don´t know.