On 03/01/2018 03:06 AM, hw wrote: > >> It is illogical to lump all network access together into a single >> category. > ... >> If your device can communicate with a switch, even for the purpose of >> authenticating, then it has network access. > > The device has access to the switch which, depending on what answer to an > authentication request it gets from a RADIUS server, decides if and > how it > lets the device access the network. You're still lumping networks into a single category. Not "the" network, but "a" network. Unauthenticated clients are, by definition connected to A network consisting of the device and the switch. They might also be connected to a network consisting of the device, a switch, and a TFTP server that provides the boot image to the client. And since there is nothing else on that network, other than a read-only TFTP server that your devices require in order to boot, it's difficult to understand why you think there is a security risk here. Security is the process of restricting access to a resource to only the devices and persons that require it. If your devices require a boot image before they can authenticate, then restricting their access to that resource can no longer be described as "security." >>>> Where do your hypothetical customers in a store get the user >>>> credentials that you want to authenticate via RADIUS? >>> >>> They might get it from employees of the store or read it from signs >>> inside the store, perhaps depending on what kind of access rights they >>> are supposed to have. >> >> If you're sharing passwords, then you don't need RADIUS. Set up >> separate SSIDs that are attached to VLANs with appropriate access >> levels, and continue using WPA2 Personal. Using RADIUS will be no >> more secure than that. It's not magic. > > Right, but what about keeping track of customers? Apparently RADIUS > has some > accounting features, and it might be an advantage to use those. It does, but you will get exactly the same information using WPA2 Personal that you will from WPA2 Enterprise and RADIUS. "A client connected to the WAP at such and such time. It disconnected at such and such time." If you're sharing passwords, RADIUS is the most complex way to get the information. You can get the same info by simply logging WAP events to a log server.