[CentOS] RADIUS

Thu Mar 1 11:06:37 UTC 2018
hw <hw at gc-24.de>

Gordon Messmer wrote:
> On 02/27/2018 08:21 AM, hw wrote:
>> Gordon Messmer wrote:
>>> I've never seen anyone actually do this, but there's an article discussing it.  It is noteworthy that this requires enforcement in the client OS, as well as the switch.
>>
>> The article itself says that what it is describing only works within a
>> Windoze world.
> 
> That's what I said.

Well, it is not applicable here.

> (Also, "Windoze"?  Can we at least pretend to be a community of professionals?)
> 
>> I understand that it is suggested that I should give all unauthorized devices
>> network access (so that they can PXE boot or whatever), which is what I
>> don´t want to do.
> 
> It is illogical to lump all network access together into a single category.

That depends on your point of view.  When you have access to a network, you
have better chances of being able to do something you´re not supposed to than
you have when you don´t have any access at all.  That doesn´t say anything
about how it is logical or makes sense or not to create different categories
of network access.

> If your device can communicate with a switch, even for the purpose of authenticating, then it has network access.

The device has access to the switch which, depending on what answer to an
authentication request it gets from a RADIUS server, decides if and how it
lets the device access the network.  Maybe that´s not how it works; it´s only
what I´ve been reading.

> A device cannot authenticate if the processor is idle.  The processor needs software in order to authenticate.  If that software resides on an TFTP server, rather than a locally attached storage device, then the device needs limited network access to retrieve the software (after which it runs the software, authenticates the user or the device, and receives greater levels of network access.)
> 
> Providing a VLAN on which there are no private resources, and no Internet access, may be a required component if you have devices that boot via PXE.  Honestly, people are trying to help you, but you are placing logically contradictory requirements on the project.

You mean I´m not allowed to say that I don´t want to allow unauthorized devices
to access the network and having some that use PXE boot because it makes ppl trying
to help think that this is contradictory.  I can´t help that because it is the
situation I have to deal with.  Live is generally full of contradictions, and
everyone has to deal with that.

I don´t see what the problem is other than ppl trying to decide for me what I am
allowed to say or to think or to have to deal with, and that is something I very
much dislike.  It isn´t helpful, either.

If PXE boot is not possible because it would require to allow network access to
unauthorized devices, or if it is not reasonably feasible because switching the
device to a different VLAN after allowing unauthorized access for booting and then
providing credentials to authenticate the device (or the user) will result in the
device freezing and thus being useless, then that just is so, and I have to deal
with it.

>> I also understand that it may be possible that there is a variety of PXE boot
>> which addresses this problem by allowing devices to authenticate before they
>> boot.  However, some of the devices in question are likely to old to support
>> this.
> 
> The device needs to have software adequate to authenticate itself or its user.  It's logically possible to run software from some local storage, authenticate, retrieve a new software image from PXE, and then chainload that.  If you don't have a device that does that, specifically, then you need to provide a VLAN that supports the devices you DO have.

Other options would be not to use PXE boot or to allow the devices network
access as needed.

> 
>>> Where do your hypothetical customers in a store get the user credentials that you want to authenticate via RADIUS?
>>
>> They might get it from employees of the store or read it from signs
>> inside the store, perhaps depending on what kind of access rights they
>> are supposed to have.
> 
> If you're sharing passwords, then you don't need RADIUS.  Set up separate SSIDs that are attached to VLANs with appropriate access levels, and continue using WPA2 Personal.  Using RADIUS will be no more secure than that.  It's not magic.

Right, but what about keeping track of customers?  Apparently RADIUS has some
accounting features, and it might be an advantage to use those.

> 
>> Imagine you want to ride a horse and don´t know anything about horses. You
>> look for documentation about horses, and the only documentations you can find
>> are telling you that horses exist, how to get one and that they can be used for
>> riding.  How helpful is that?
> 
> Imagine that someone is trying to help you learn to ride horses, and you spend all of your time complaining that you think animals are dirty. How helpful is that?

This analogy doesn´t apply.  It´s more like I´m wondering if the horse can be
fast enough or haul the load I might need to get hauled or if it requires too
much upkeep.

And when I say "I would need the horse to haul 1/4 ton while I can´t feed it more
grain than I have", ppl trying to help are getting pissed because they think it´s
somehow illogical having to deal with the given requirements.  Yeah, well, logic
can be pretty irrelevant in most situations.