Gordon Messmer wrote:> On 02/14/2018 08:37 AM, hw wrote: >> Then what?? How do I make it so that the users are actually able to authenticate? > > > Look for documentation on 802.11x authentication for the specific client you want to authenticate.Thanks, I figured it is what I might need to look into. How about a client that uses PXE boot?> WiFi is pretty straightforward.? You're probably accustomed to authenticating with WPA2 Personal.? With RADIUS, you'll use WPA2 Enterprise.? Users will be asked for their RADIUS credentials when you select that? option.That seems neither useful, nor feasible for customers wanting to use the wireless network we would set up for them with their cell phones. Are cell phones even capable of this kind of authentication?> Ethernet is fairly similar to WPA2 Enterprise for WiFi.? Under GNOME, for instance, you can open the Network configuration tool, click on the configuration gear for the wired connection, and then select the Security tab.? Tun on 802.1x Security, and then you'll have the option to select an authentication type that matches your switch and RADIUS configuration.? This will vary from client platform to client platform, but it's basically the same as WiFi authentication:I?m not using gnome; I recently tried it, and it?s totally bloated, yet doesn?t even have a usable window manager. Anyway, there are some clients that can probably authenticate, which leaves the ones that use PXE boot. I tried things out with a switch, and it would basically work. If it makes sense to go any further with this and how now needs to be determined ...> > https://en.wikipedia.org/wiki/IEEE_802.1X#Supplicants > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
On Thu, 22 Feb 2018, hw wrote:> That seems neither useful, nor feasible for customers wanting to use the > wireless network we would set up for them with their cell phones. Are cell > phones even capable of this kind of authentication?Yes, entirely capable. WPA2-Enterprise isn't some freakish and unusual solution. https://www.eduroam.org/ I configure wireless once on my device (phone/tablet/laptop) and then can travel to institutions all round the world and use their networks seamlessly. How useless and infeasible indeed.> Anyway, there are some clients that can probably authenticate, which leaves > the ones that use PXE boot. I tried things out with a switch, and it would > basically work. If it makes sense to go any further with this and how now > needs to be determined ...A client that can't authenticate gets the network it's provided with by being unauthenticated. If an unauthenticated client can't have any network access, that's what they get. Presumably you could drop an unauthenticated machine into a different VLAN. jh
On 02/22/2018 03:22 AM, hw wrote:> Gordon Messmer wrote: >> Look for documentation on 802.11x authentication for the specific >> client you want to authenticate. > > Thanks, I figured it is what I might need to look into.? How about > a client that uses PXE boot?Provide PXE (dhcp, dns, tftp) on an unauthenticated VLAN.? Your original email suggested that you'd want users to auth before a system would boot, but that's probably not possible.? If you want to authenticate users via username and password using RADIUS, then there has to be an OS running to provide an interface in which they provide credentials.? It's not really clear how else you'd imagine that working.>> WiFi is pretty straightforward.? You're probably accustomed to >> authenticating with WPA2 Personal.? With RADIUS, you'll use WPA2 >> Enterprise.? Users will be asked for their RADIUS credentials when >> you select that? option. > > That seems neither useful, nor feasible for customers wanting to use the > wireless network we would set up for them with their cell phones. Are > cell phones even capable of this kind of authentication?Well, I guess I'm confused because having explained where you'd find the interface in which users will provide their RADIUS username and password, you think this process is unfeasible.? Perhaps you could explain what you're looking for, more precisely?>> Ethernet is fairly similar to WPA2 Enterprise for WiFi.? Under GNOME, >> for instance, you can open the Network configuration tool, click on >> the configuration gear for the wired connection, and then select the >> Security tab.? Tun on 802.1x Security, and then you'll have the >> option to select an authentication type that matches your switch and >> RADIUS configuration.? This will vary from client platform to client >> platform, but it's basically the same as WiFi authentication: > > I?m not using gnome; I recently tried it, and it?s totally bloated, > yet doesn?t even have a usable window manager.OK.? I'm not sure how your opinion of GNOME is really relevant.? I'm describing it because it's an example that's probably within reach for both you and me, given that you and I are communicating via a GNU/Linux focused mailing list. I'm sorry my voluntary attempt to help you out wasn't to your liking.
John Hodrien wrote:> On Thu, 22 Feb 2018, hw wrote: > >> That seems neither useful, nor feasible for customers wanting to use the >> wireless network we would set up for them with their cell phones.? Are cell >> phones even capable of this kind of authentication? > > Yes, entirely capable.? WPA2-Enterprise isn't some freakish and unusual > solution.Ok, so it would at least be possible.> https://www.eduroam.org/ > > I configure wireless once on my device (phone/tablet/laptop) and then can > travel to institutions all round the world and use their networks seamlessly. > How useless and infeasible indeed.Well, this country is almost the worst of all countries around the world when it comes to internet access. Though they list a few locations here where you supposedly could use their service, I wouldn?t expect anything. Then there?s the question of protecting your privacy. For example, how much do they pay you for allowing them to keep track of your travels? In any case, it wouldn?t do our customers any good because there aren?t places all over the world where they could use our network.>> Anyway, there are some clients that can probably authenticate, which leaves >> the ones that use PXE boot.? I tried things out with a switch, and it would >> basically work.? If it makes sense to go any further with this and how now >> needs to be determined ... > > A client that can't authenticate gets the network it's provided with by being > unauthenticated.? If an unauthenticated client can't have any network access, > that's what they get.? Presumably you could drop an unauthenticated machine > into a different VLAN.That would be a problem because clients using PXE-boot require network access, and it wouldn?t contribute to security if unauthorized clients were allwed to PXE-boot.
Gordon Messmer wrote:> On 02/22/2018 03:22 AM, hw wrote: >> Gordon Messmer wrote: >>> Look for documentation on 802.11x authentication for the specific client you want to authenticate. >> >> Thanks, I figured it is what I might need to look into.? How about >> a client that uses PXE boot? > > Provide PXE (dhcp, dns, tftp) on an unauthenticated VLAN.? Your original email suggested that you'd want users to auth before a system would boot, but that's probably not possible.? If you want to authenticate users via username and password using RADIUS, then there has to be an OS running to provide an interface in which they provide credentials.? It's not really clear how else you'd imagine that working.I?m not sure how to imagine it. It would be nice if every device connecting to the network, wirelessly or otherwise, had to be authenticated --- and not only the device, but also the user(s) using it. There are devices that are using PXE-boot and require access to the company LAN. If I was to allow PXE-boot for unauthenticated devices, the whole thing would be pointless because it would defeat any security advantage that could be gained by requiring all devices and users to be authenticated: Anyone could bring a device capable of PXE-booting and get network access.>>> WiFi is pretty straightforward.? You're probably accustomed to authenticating with WPA2 Personal.? With RADIUS, you'll use WPA2 Enterprise.? Users will be asked for their RADIUS credentials when you select that? option. >> >> That seems neither useful, nor feasible for customers wanting to use the >> wireless network we would set up for them with their cell phones. Are >> cell phones even capable of this kind of authentication? > > Well, I guess I'm confused because having explained where you'd find the interface in which users will provide their RADIUS username and password, you think this process is unfeasible.? Perhaps you could explain what you're looking for, more precisely?As a customer visting a store, would you go to the lengths of configuring your cell phone (or other wireless device) to authenticate with a RADIUS server in order to gain internet access through the wirless network of the store? From what I?m being told, everyone already has internet access with their cell phones from their phone service provider and is apparently happy with that even though the amount of data they can transmit is ridiculously low. So why would anyone do any configuring and have to worry about protecting ther privacy when and for using the wireless network of a shop they?re visting? I have no idea what the lengths of configuring might be other than that anything you try to do with a cell phone or a tablet is so extremely painful or outright impossible that I only touch them when I get paid for it. Perhaps RADIUS authentication is easy with such devices.>>> Ethernet is fairly similar to WPA2 Enterprise for WiFi.? Under GNOME, for instance, you can open the Network configuration tool, click on the configuration gear for the wired connection, and then select the Security tab.? Tun on 802.1x Security, and then you'll have the option to select an authentication type that matches your switch and RADIUS configuration.? This will vary from client platform to client platform, but it's basically the same as WiFi authentication: >> >> I?m not using gnome; I recently tried it, and it?s totally bloated, >> yet doesn?t even have a usable window manager. > > OK.? I'm not sure how your opinion of GNOME is really relevant.? I'm describing it because it's an example that's probably within reach for both you and me, given that you and I are communicating via a GNU/Linux focused mailing list. > > I'm sorry my voluntary attempt to help you out wasn't to your liking.Don?t be sorry, there?s nothing wrong with your help, and I appreciate it. Just keep in mind when you say that the opinions of users of software X are irrelevant, software X itself is as irrelevant as the opinions.