[CentOS] RADIUS
Gordon Messmer
gordon.messmer at gmail.com
Fri Mar 2 02:56:07 UTC 2018
On 03/01/2018 03:06 AM, hw wrote:
>
>> It is illogical to lump all network access together into a single
>> category.
> ...
>> If your device can communicate with a switch, even for the purpose of
>> authenticating, then it has network access.
>
> The device has access to the switch which, depending on what answer to an
> authentication request it gets from a RADIUS server, decides if and
> how it
> lets the device access the network.
You're still lumping networks into a single category.
Not "the" network, but "a" network.
Unauthenticated clients are, by definition connected to A network
consisting of the device and the switch. They might also be connected
to a network consisting of the device, a switch, and a TFTP server that
provides the boot image to the client. And since there is nothing else
on that network, other than a read-only TFTP server that your devices
require in order to boot, it's difficult to understand why you think
there is a security risk here.
Security is the process of restricting access to a resource to only the
devices and persons that require it. If your devices require a boot
image before they can authenticate, then restricting their access to
that resource can no longer be described as "security."
>>>> Where do your hypothetical customers in a store get the user
>>>> credentials that you want to authenticate via RADIUS?
>>>
>>> They might get it from employees of the store or read it from signs
>>> inside the store, perhaps depending on what kind of access rights they
>>> are supposed to have.
>>
>> If you're sharing passwords, then you don't need RADIUS. Set up
>> separate SSIDs that are attached to VLANs with appropriate access
>> levels, and continue using WPA2 Personal. Using RADIUS will be no
>> more secure than that. It's not magic.
>
> Right, but what about keeping track of customers? Apparently RADIUS
> has some
> accounting features, and it might be an advantage to use those.
It does, but you will get exactly the same information using WPA2
Personal that you will from WPA2 Enterprise and RADIUS. "A client
connected to the WAP at such and such time. It disconnected at such and
such time."
If you're sharing passwords, RADIUS is the most complex way to get the
information. You can get the same info by simply logging WAP events to
a log server.
More information about the CentOS
mailing list