John Hodrien wrote:> On Thu, 22 Feb 2018, hw wrote: > >> That seems neither useful, nor feasible for customers wanting to use the >> wireless network we would set up for them with their cell phones.? Are cell >> phones even capable of this kind of authentication? > > Yes, entirely capable.? WPA2-Enterprise isn't some freakish and unusual > solution.Ok, so it would at least be possible.> https://www.eduroam.org/ > > I configure wireless once on my device (phone/tablet/laptop) and then can > travel to institutions all round the world and use their networks seamlessly. > How useless and infeasible indeed.Well, this country is almost the worst of all countries around the world when it comes to internet access. Though they list a few locations here where you supposedly could use their service, I wouldn?t expect anything. Then there?s the question of protecting your privacy. For example, how much do they pay you for allowing them to keep track of your travels? In any case, it wouldn?t do our customers any good because there aren?t places all over the world where they could use our network.>> Anyway, there are some clients that can probably authenticate, which leaves >> the ones that use PXE boot.? I tried things out with a switch, and it would >> basically work.? If it makes sense to go any further with this and how now >> needs to be determined ... > > A client that can't authenticate gets the network it's provided with by being > unauthenticated.? If an unauthenticated client can't have any network access, > that's what they get.? Presumably you could drop an unauthenticated machine > into a different VLAN.That would be a problem because clients using PXE-boot require network access, and it wouldn?t contribute to security if unauthorized clients were allwed to PXE-boot.
On Fri, 23 Feb 2018, hw wrote:> That would be a problem because clients using PXE-boot require network > access, and it wouldn?t contribute to security if unauthorized clients were > allwed to PXE-boot.What problem are you actually trying to solve? jh
On Fri, Feb 23, 2018 at 10:33 AM, hw <hw at gc-24.de> wrote:> That would be a problem because clients using PXE-boot require network > access, > and it wouldn?t contribute to security if unauthorized clients were allwed > to > PXE-boot.Two solutions to this: 1. Enable "exception by MAC address": only known MAC addresses get put onto the PXE boot VLAN. Other unauthenticated client goes onto a "no access" VLAN (many places make this the same VLAN as the guest WiFi VLAN with internet access only, sometimes with a captive portal). Authenticated clients go onto the corporate VLAN. 2. (this can be in addition or instead of 1). The PXE server itself will only serve known MAC addresses and/or requires a token/password to initiate the install. Regardless, there's not huge utility to installing your personal machine with a corporate build from a PXE server, which you then can't use because you don;t have corporate credentials, but I suppose it may have some risk with regards to software licensing or builds containing other stuff you don't want strangers to access, so lockdowns can't hurt.> _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
Richard Grainger wrote:> On Fri, Feb 23, 2018 at 10:33 AM, hw <hw at gc-24.de> wrote: > >> That would be a problem because clients using PXE-boot require network >> access, >> and it wouldn?t contribute to security if unauthorized clients were allwed >> to >> PXE-boot. > > Two solutions to this: > > 1. Enable "exception by MAC address": only known MAC addresses get put > onto the PXE boot VLAN. Other unauthenticated client goes onto a "no > access" VLAN (many places make this the same VLAN as the guest WiFi > VLAN with internet access only, sometimes with a captive portal). > Authenticated clients go onto the corporate VLAN. > 2. (this can be in addition or instead of 1). The PXE server itself > will only serve known MAC addresses and/or requires a token/password > to initiate the install. Regardless, there's not huge utility to > installing your personal machine with a corporate build from a PXE > server, which you then can't use because you don;t have corporate > credentials, but I suppose it may have some risk with regards to > software licensing or builds containing other stuff you don't want > strangers to access, so lockdowns can't hurt.But MAC addresses can be faked, can?t they?
> > > https://www.eduroam.org/ > > > > I configure wireless once on my device (phone/tablet/laptop) and then can > > travel to institutions all round the world and use their networks seamlessly. > > How useless and infeasible indeed. > > Well, this country"this country"?> is almost the worst of all countries around the world when > it comes to internet access. Though they list a few locations here where you > supposedly could use their service, I wouldn?t expect anything. Then there?s > the question of protecting your privacy. For example, how much do they pay you > for allowing them to keep track of your travels?I think you've got the wrong idea about eduroam. John Hodrien was just using it as a real world example of WPA2-enterprise in action. It's a private network for academic institutions - it allows members of Universities around the world to gain access to the wifi at a local University they are visiting. It's not a public wifi service. It's a convenience - a very, very convenient convenience. If you don't want someone tracking where you are, then don't use it. But TBH if you are visiting another university, then in general your location is known!> > In any case, it wouldn?t do our customers any good because there aren?t places > all over the world where they could use our network.Your customers wouldn't be able to use it anyway> > > A client that can't authenticate gets the network it's provided with by being > > unauthenticated. If an unauthenticated client can't have any network access, > > that's what they get. Presumably you could drop an unauthenticated machine > > into a different VLAN. > > That would be a problem because clients using PXE-boot require network access, > and it wouldn?t contribute to security if unauthorized clients were allwed to > PXE-boot. >So restrict based on MAC address at the PXE boot stage. The PXE protocol, as far as I can see, has no concept of authorisation - although its certainly possible to introduce it after PXE has done its bit (but before imaging or whatever). You may be better off with authenticating the DHCP using RADIUS, but it's a complex process which, by its very nature, requires some form of non-authenticated network access. P.
John Hodrien wrote:> On Fri, 23 Feb 2018, hw wrote: > >> That would be a problem because clients using PXE-boot require network >> access, and it wouldn?t contribute to security if unauthorized clients were >> allwed to PXE-boot. > > What problem are you actually trying to solve?There are multiple problems like providing employees and customers with LAN and/or internet access and making the network more secure: When using RADIUS for keeping track of employees and customers, why not use it for more security as well. Network access is not the only thing authentication is needed for. Perhaps RADIUS can be used for other things as well; I don?t know what all you can use it for.
Pete Biggs wrote:> >> >>> https://www.eduroam.org/ >>> >>> I configure wireless once on my device (phone/tablet/laptop) and then can >>> travel to institutions all round the world and use their networks seamlessly. >>> How useless and infeasible indeed. >> >> Well, this country > > "this country"?Germany>> is almost the worst of all countries around the world when >> it comes to internet access. Though they list a few locations here where you >> supposedly could use their service, I wouldn?t expect anything. Then there?s >> the question of protecting your privacy. For example, how much do they pay you >> for allowing them to keep track of your travels? > > I think you've got the wrong idea about eduroam. John Hodrien was just > using it as a real world example of WPA2-enterprise in action. It's a > private network for academic institutions - it allows members of > Universities around the world to gain access to the wifi at a local > University they are visiting. It's not a public wifi service.It isn?t really private, either.> It's a convenience - a very, very convenient convenience. If you don't > want someone tracking where you are, then don't use it. But TBH if you > are visiting another university, then in general your location is > known!Without wireless, your general location may be known as in "visiting university X"; with wireless, your location is known as in "is currently in room X of building Z". That is quite a difference, and in either case, what about your privacy?>> In any case, it wouldn?t do our customers any good because there aren?t places >> all over the world where they could use our network. > > Your customers wouldn't be able to use it anywayIf there were places all over the world where they could use our network, they could.>>> A client that can't authenticate gets the network it's provided with by being >>> unauthenticated. If an unauthenticated client can't have any network access, >>> that's what they get. Presumably you could drop an unauthenticated machine >>> into a different VLAN. >> >> That would be a problem because clients using PXE-boot require network access, >> and it wouldn?t contribute to security if unauthorized clients were allwed to >> PXE-boot. >> > So restrict based on MAC address at the PXE boot stage.MAC addresses could be faked.> The PXE protocol, as far as I can see, has no concept of authorisation > - although its certainly possible to introduce it after PXE has done > its bit (but before imaging or whatever). > > You may be better off with authenticating the DHCP using RADIUS, but > it's a complex process which, by its very nature, requires some form of > non-authenticated network access.So the solution might have to be not to use PXE-boot anymore. That would be a pity because it?s so convenient.