[CentOS] RADIUS

hw hw at gc-24.de
Thu Mar 1 13:42:23 UTC 2018 

John Hodrien wrote:
> This is really nothing to do with CentOS anymore, if it ever was.

right

> On Thu, 1 Mar 2018, hw wrote:
> 
>> If PXE boot is not possible because it would require to allow network access
>> to unauthorized devices, or if it is not reasonably feasible because
>> switching the device to a different VLAN after allowing unauthorized access
>> for booting and then providing credentials to authenticate the device (or
>> the user) will result in the device freezing and thus being useless, then
>> that just is so, and I have to deal with it.
> 
> Why would that *have* to result in the device freezing?  You can PXE boot to a
> kernel and initrd that after it's downloaded runs just fine without any
> network access at all.

Like I said, they are x2go clients booting from the x2go server.  Switching
them to another VLAN from where they can´t reach the server is basically the
same as unplugging the network cable, in which case they freeze until the
connection is restored, and giving them access to the server so that they can
boot before they are authorized is useless when I don´t want to allow network
access for unauthorized clients, and it is pointless because they would already
have the access they are supposed to have only after they are authorized.

> There's no requirement for a PXE client to have network access to anything
> other than a VLAN with a boot server that provides it with a boot image.  You
> can obviously add on frippery that only recognises approved MACs for even this
> if you feel the need.

Sure, but how great may the lengths be you can go before it is not reasonably
feasible to do what you´re doing?

>> Right, but what about keeping track of customers?  Apparently RADIUS has
>> some accounting features, and it might be an advantage to use those.
> 
> I really don't get why you want WPA2 Enterprise for this setup.  There's a
> reason why almost everyone uses captive portals for providing access to lots
> of external users.

I didn´t say I want that, and I don´t know yet what I want.  A captive portal may
be nice, but I haven´t found a way to set one up yet, and I don´t have an access
point controller which would provide one, so I can´t tell if that´s the right
solution.

More information about the CentOS mailing list