Gordon Messmer wrote:> On 02/22/2018 03:22 AM, hw wrote: >> Gordon Messmer wrote: >>> Look for documentation on 802.11x authentication for the specific client you want to authenticate. >> >> Thanks, I figured it is what I might need to look into.? How about >> a client that uses PXE boot? > > Provide PXE (dhcp, dns, tftp) on an unauthenticated VLAN.? Your original email suggested that you'd want users to auth before a system would boot, but that's probably not possible.? If you want to authenticate users via username and password using RADIUS, then there has to be an OS running to provide an interface in which they provide credentials.? It's not really clear how else you'd imagine that working.I?m not sure how to imagine it. It would be nice if every device connecting to the network, wirelessly or otherwise, had to be authenticated --- and not only the device, but also the user(s) using it. There are devices that are using PXE-boot and require access to the company LAN. If I was to allow PXE-boot for unauthenticated devices, the whole thing would be pointless because it would defeat any security advantage that could be gained by requiring all devices and users to be authenticated: Anyone could bring a device capable of PXE-booting and get network access.>>> WiFi is pretty straightforward.? You're probably accustomed to authenticating with WPA2 Personal.? With RADIUS, you'll use WPA2 Enterprise.? Users will be asked for their RADIUS credentials when you select that? option. >> >> That seems neither useful, nor feasible for customers wanting to use the >> wireless network we would set up for them with their cell phones. Are >> cell phones even capable of this kind of authentication? > > Well, I guess I'm confused because having explained where you'd find the interface in which users will provide their RADIUS username and password, you think this process is unfeasible.? Perhaps you could explain what you're looking for, more precisely?As a customer visting a store, would you go to the lengths of configuring your cell phone (or other wireless device) to authenticate with a RADIUS server in order to gain internet access through the wirless network of the store? From what I?m being told, everyone already has internet access with their cell phones from their phone service provider and is apparently happy with that even though the amount of data they can transmit is ridiculously low. So why would anyone do any configuring and have to worry about protecting ther privacy when and for using the wireless network of a shop they?re visting? I have no idea what the lengths of configuring might be other than that anything you try to do with a cell phone or a tablet is so extremely painful or outright impossible that I only touch them when I get paid for it. Perhaps RADIUS authentication is easy with such devices.>>> Ethernet is fairly similar to WPA2 Enterprise for WiFi.? Under GNOME, for instance, you can open the Network configuration tool, click on the configuration gear for the wired connection, and then select the Security tab.? Tun on 802.1x Security, and then you'll have the option to select an authentication type that matches your switch and RADIUS configuration.? This will vary from client platform to client platform, but it's basically the same as WiFi authentication: >> >> I?m not using gnome; I recently tried it, and it?s totally bloated, >> yet doesn?t even have a usable window manager. > > OK.? I'm not sure how your opinion of GNOME is really relevant.? I'm describing it because it's an example that's probably within reach for both you and me, given that you and I are communicating via a GNU/Linux focused mailing list. > > I'm sorry my voluntary attempt to help you out wasn't to your liking.Don?t be sorry, there?s nothing wrong with your help, and I appreciate it. Just keep in mind when you say that the opinions of users of software X are irrelevant, software X itself is as irrelevant as the opinions.
On Fri, Feb 23, 2018 at 11:22 AM, hw <hw at gc-24.de> wrote:> As a customer visting a store, would you go to the lengths of configuring > your > cell phone (or other wireless device) to authenticate with a RADIUS server > in > order to gain internet access through the wirless network of the store? > > From what I?m being told, everyone already has internet access with their > cell > phones from their phone service provider and is apparently happy with that > even though the amount of data they can transmit is ridiculously low. So > why > would anyone do any configuring and have to worry about protecting ther > privacy > when and for using the wireless network of a shop they?re visting? > > I have no idea what the lengths of configuring might be other than that > anything > you try to do with a cell phone or a tablet is so extremely painful or > outright > impossible that I only touch them when I get paid for it. Perhaps RADIUS > authentication is easy with such devices.Corporate mobile devices are typically configured using MDM to already have the company 802.1x profile so they "just work" on the corporate WiFi. Guest mobile devices will connect to another SSID, which usually only allows access to the internet (sometimes after agreeing to a AUP via a captive web portal).
> There are devices that are using PXE-boot and require access to the company LAN. > If I was to allow PXE-boot for unauthenticated devices, the whole thing would be > pointless because it would defeat any security advantage that could be gained by > requiring all devices and users to be authenticated: Anyone could bring a device > capable of PXE-booting and get network access.So authenticate before imaging. Lots of imaging solutions allow that - even the MS WDS does it.> > As a customer visting a store, would you go to the lengths of configuring your > cell phone (or other wireless device) to authenticate with a RADIUS server in > order to gain internet access through the wirless network of the store?Yes, I do it frequently with my phone. You do it once and it remembers it. My phone is more often on wifi than on 4G when I'm in a town.> > From what I?m being told, everyone already has internet access with their cell > phones from their phone service provider and is apparently happy with that > even though the amount of data they can transmit is ridiculously low. So why > would anyone do any configuring and have to worry about protecting ther privacy > when and for using the wireless network of a shop they?re visting?Because you get faster data rates and in the middle of a big shop you don't get a phone signal.> > I have no idea what the lengths of configuring might be other than that anything > you try to do with a cell phone or a tablet is so extremely painful or outright > impossible that I only touch them when I get paid for it. Perhaps RADIUS > authentication is easy with such devices.In general the user knows nothing about RADIUS - you are presented with a username/password box when you first connect to the wifi and that is it.> > > > I?m not using gnome; I recently tried it, and it?s totally bloated, > > > yet doesn?t even have a usable window manager. > > > > OK. I'm not sure how your opinion of GNOME is really relevant. > > I'm describing it because it's an example that's probably within > > reach for both you and me, given that you and I are communicating > > via a GNU/Linux focused mailing list. > > > > I'm sorry my voluntary attempt to help you out wasn't to your liking. > > Don?t be sorry, there?s nothing wrong with your help, and I appreciate it. > > Just keep in mind when you say that the opinions of users of software X are > irrelevant, software X itself is as irrelevant as the opinions.Exactly. "Software X" was an example of how it could be done. It doesn't matter what your opinions are about it. Other software is available. You seem to be taking the examples that people give you as the only possible way of doing things. RADIUS is a very mature technology and as such there are lots of ways of using it. P.
On Fri, 23 Feb 2018, hw wrote:> There are devices that are using PXE-boot and require access to the company > LAN. If I was to allow PXE-boot for unauthenticated devices, the whole > thing would be pointless because it would defeat any security advantage that > could be gained by requiring all devices and users to be authenticated: > Anyone could bring a device capable of PXE-booting and get network access.I'd hope that you could involve TPM in this game. PXE to unauthenticated VLAN, boot an OS that could then use TPM to pull out a credential to authenticate to the network and switch to another VLAN.> As a customer visting a store, would you go to the lengths of configuring > your cell phone (or other wireless device) to authenticate with a RADIUS > server in order to gain internet access through the wirless network of the > store?No, I'd never offer wireless network access this way. Typically, you either offer it unauthenticated, or you provide it via a captive web portal. jh
Richard Grainger wrote:> On Fri, Feb 23, 2018 at 11:22 AM, hw <hw at gc-24.de> wrote: > >> As a customer visting a store, would you go to the lengths of configuring >> your >> cell phone (or other wireless device) to authenticate with a RADIUS server >> in >> order to gain internet access through the wirless network of the store? >> >> From what I?m being told, everyone already has internet access with their >> cell >> phones from their phone service provider and is apparently happy with that >> even though the amount of data they can transmit is ridiculously low. So >> why >> would anyone do any configuring and have to worry about protecting ther >> privacy >> when and for using the wireless network of a shop they?re visting? >> >> I have no idea what the lengths of configuring might be other than that >> anything >> you try to do with a cell phone or a tablet is so extremely painful or >> outright >> impossible that I only touch them when I get paid for it. Perhaps RADIUS >> authentication is easy with such devices. > > Corporate mobile devices are typically configured using MDM to already > have the company 802.1x profile so they "just work" on the corporate > WiFi.MDM? I?ve never heared that before; might be worthwhile to look into.> Guest mobile devices will connect to another SSID, which > usually only allows access to the internet (sometimes after agreeing > to a AUP via a captive web portal).Yes, that?s one of the ideas. Another idea is to allow unregistered customers access for a limited amount of time and allowing registered customers (like regular customers having a customer card) an unlimited amount of time. I have no idea yet how I would limit the time. That requires some way to distinguish between customers, and it means that distinguishing between devices is not sufficient for registered customers.
Pete Biggs wrote:> >> There are devices that are using PXE-boot and require access to the company LAN. >> If I was to allow PXE-boot for unauthenticated devices, the whole thing would be >> pointless because it would defeat any security advantage that could be gained by >> requiring all devices and users to be authenticated: Anyone could bring a device >> capable of PXE-booting and get network access. > > So authenticate before imaging. Lots of imaging solutions allow that - > even the MS WDS does it.Well, I don?t have an imaging solution and no idea how to do that.>> As a customer visting a store, would you go to the lengths of configuring your >> cell phone (or other wireless device) to authenticate with a RADIUS server in >> order to gain internet access through the wirless network of the store? > > Yes, I do it frequently with my phone. You do it once and it remembers > it. My phone is more often on wifi than on 4G when I'm in a town.And you need to install certificates or enter a password or something?>> From what I?m being told, everyone already has internet access with their cell >> phones from their phone service provider and is apparently happy with that >> even though the amount of data they can transmit is ridiculously low. So why >> would anyone do any configuring and have to worry about protecting ther privacy >> when and for using the wireless network of a shop they?re visting? > > Because you get faster data rates and in the middle of a big shop you > don't get a phone signal.How do you get faster data rates? In a shop that even has a 100Mbit internet connection and 50 customers using it, you would get only 2Mbit. How do the shops prevent you from getting a phone signal?>> I have no idea what the lengths of configuring might be other than that anything >> you try to do with a cell phone or a tablet is so extremely painful or outright >> impossible that I only touch them when I get paid for it. Perhaps RADIUS >> authentication is easy with such devices. > > In general the user knows nothing about RADIUS - you are presented with > a username/password box when you first connect to the wifi and that is > it.Those are particularly painful to enter, but I guess it could be used for some customers.>>>> I?m not using gnome; I recently tried it, and it?s totally bloated, >>>> yet doesn?t even have a usable window manager. >>> >>> OK. I'm not sure how your opinion of GNOME is really relevant. >>> I'm describing it because it's an example that's probably within >>> reach for both you and me, given that you and I are communicating >>> via a GNU/Linux focused mailing list. >>> >>> I'm sorry my voluntary attempt to help you out wasn't to your liking. >> >> Don?t be sorry, there?s nothing wrong with your help, and I appreciate it. >> >> Just keep in mind when you say that the opinions of users of software X are >> irrelevant, software X itself is as irrelevant as the opinions. > > Exactly. "Software X" was an example of how it could be done. It > doesn't matter what your opinions are about it. Other software is > available. You seem to be taking the examples that people give you as > the only possible way of doing things. > > RADIUS is a very mature technology and as such there are lots of ways > of using it.Well, I don?t know about any of this. I found out that RADIUS is probably what I could or should use to get things working as intended, so I tried to find documentation on /how/ to use it and found nothing but documentation which says that it could be used, which I already know. So I tried it to a limited extend and found that it could and probably should be used.
John Hodrien wrote:> On Fri, 23 Feb 2018, hw wrote: > >> There are devices that are using PXE-boot and require access to the company >> LAN.? If I was to allow PXE-boot for unauthenticated devices, the whole >> thing would be pointless because it would defeat any security advantage that >> could be gained by requiring all devices and users to be authenticated: >> Anyone could bring a device capable of PXE-booting and get network access. > > I'd hope that you could involve TPM in this game.? PXE to unauthenticated > VLAN, boot an OS that could then use TPM to pull out a credential to > authenticate to the network and switch to another VLAN.Besides that I have no idea how to do this: When switching over to a different VLAN, access to the server the client has booted from would go away, and the client would freeze until the connection is back. It would be the same effect as unplugging the network cable. Those clients are x2go clients, and they boot from the same VM the users work on via these clients. I don?t think the clients will continue to work when pulling the connection to the boot device while leaving them connected to the x2go server, and it would require the x2go server to be reachable via a VLAN that provides unauthenticated access. I never used TPM. Apparently it requires machines supporting it because some have an entry in their BIOS for it, and you need some sort of unknown hardware module nobody has.>> As a customer visting a store, would you go to the lengths of configuring >> your cell phone (or other wireless device) to authenticate with a RADIUS >> server in order to gain internet access through the wirless network of the >> store? > > No, I'd never offer wireless network access this way.? Typically, you either > offer it unauthenticated, or you provide it via a captive web portal.Would you consider a captive portal as user friendly?
On 02/23/2018 03:22 AM, hw wrote:> I?m not sure how to imagine it.? It would be nice if every device > connecting to > the network, wirelessly or otherwise, had to be authenticated --- and > not only > the device, but also the user(s) using it.https://www.networkworld.com/article/2940463/it-skills-training/machine-authentication-and-user-authentication.html I've never seen anyone actually do this, but there's an article discussing it.? It is noteworthy that this requires enforcement in the client OS, as well as the switch.> There are devices that are using PXE-boot and require access to the > company LAN. > If I was to allow PXE-boot for unauthenticated devices, the whole > thing would be > pointless because it would defeat any security advantage that could be > gained by > requiring all devices and users to be authenticated: Anyone could > bring a device > capable of PXE-booting and get network access.You don't seem to understand the suggestions you're being given. An unauthenticated device should be placed on a VLAN with appropriate access.? If you have devices that need to PXE boot before authenticating, then you should have a VLAN that gives them DHCP service, DNS, and tftp to boot an OS.? That VLAN shouldn't have access to the protected company resources, and it doesn't have to have Internet access either. Once the system boots, the users can authenticate themselves, which will move the device onto a VLAN with access appropriate for an authenticated user.>> Well, I guess I'm confused because having explained where you'd find >> the interface in which users will provide their RADIUS username and >> password, you think this process is unfeasible.? Perhaps you could >> explain what you're looking for, more precisely? > > As a customer visting a store, would you go to the lengths of > configuring your > cell phone (or other wireless device) to authenticate with a RADIUS > server in > order to gain internet access through the wirless network of the store?Where do your hypothetical customers in a store get the user credentials that you want to authenticate via RADIUS? I'm not sure I understand the use case you're describing.? I'm not sure you do, either.
Gordon Messmer wrote:> On 02/23/2018 03:22 AM, hw wrote: >> I?m not sure how to imagine it.? It would be nice if every device connecting to >> the network, wirelessly or otherwise, had to be authenticated --- and not only >> the device, but also the user(s) using it. > > https://www.networkworld.com/article/2940463/it-skills-training/machine-authentication-and-user-authentication.html > > I've never seen anyone actually do this, but there's an article discussing it.? It is noteworthy that this requires enforcement in the client OS, as well as the switch.The article itself says that what it is describing only works within a Windoze world. It doesn?t apply at all here.>> There are devices that are using PXE-boot and require access to the company LAN. >> If I was to allow PXE-boot for unauthenticated devices, the whole thing would be >> pointless because it would defeat any security advantage that could be gained by >> requiring all devices and users to be authenticated: Anyone could bring a device >> capable of PXE-booting and get network access. > > You don't seem to understand the suggestions you're being given. > > An unauthenticated device should be placed on a VLAN with appropriate access.? If you have devices that need to PXE boot before authenticating, then you should have a VLAN that gives them DHCP service, DNS, and tftp to boot an OS.? That VLAN shouldn't have access to the protected company resources, and it doesn't have to have Internet access either.I understand that it is suggested that I should give all unauthorized devices network access (so that they can PXE boot or whatever), which is what I don?t want to do. IIUC, when using RADIUS, devices can be denied network access before they get any because the switch or wirless access point the devices use to get network access negotiates access rights for the devices on behalf of the devices with the RADIUS server rather than that the devices are given network access to negotiate thier access rights themselves. That?s supposed to provide better security, and it makes sense to me. Hence allowing unauthorized devices network access (to PXE boot and then to negotiate further access rights --- or whatever) doesn?t make any sense. I also understand that it may be possible that there is a variety of PXE boot which addresses this problem by allowing devices to authenticate before they boot. However, some of the devices in question are likely to old to support this.> Once the system boots, the users can authenticate themselves, which will move the device onto a VLAN with access appropriate for an authenticated user.Like I said in other posts, that?s probably not possible because when you cut the clients off from access to the server they booted from by moving them into a different VLAN, they will simply freeze until the connection is restored.>>> Well, I guess I'm confused because having explained where you'd find the interface in which users will provide their RADIUS username and password, you think this process is unfeasible.? Perhaps you could explain what you're looking for, more precisely? >> >> As a customer visting a store, would you go to the lengths of configuring your >> cell phone (or other wireless device) to authenticate with a RADIUS server in >> order to gain internet access through the wirless network of the store? > > Where do your hypothetical customers in a store get the user credentials that you want to authenticate via RADIUS?They might get it from employees of the store or read it from signs inside the store, perhaps depending on what kind of access rights they are supposed to have.> I'm not sure I understand the use case you're describing.? I'm not sure you do, either.Right --- that?s why I was asking for documentation about how RADIUS can be actually used rather than documentation only saying that it can be used but not how. You can?t very well design a use case for a particular software when you do not know what the software is capable of and if it is applicable at all, and you can not very well design the use case when you don?t even know if what you might want is possible. Yet you need to start somewhere to get somewhere. Imagine you want to ride a horse and don?t know anything about horses. You look for documentation about horses, and the only documentations you can find are telling you that horses exist, how to get one and that they can be used for riding. How helpful is that? I?m merely asking how to ride the darn horses. Perhaps I?m better off with a car, but I can?t tell before I know how to ride horses.