CentOS - Feb 2018 - RADIUS

Richard Grainger wrote:
> On Fri, Feb 23, 2018 at 10:33 AM, hw <hw at gc-24.de> wrote:
> 
>> That would be a problem because clients using PXE-boot require network
>> access,
>> and it wouldn?t contribute to security if unauthorized clients were
allwed
>> to
>> PXE-boot.
> 
> Two solutions to this:
> 
> 1. Enable "exception by MAC address": only known MAC addresses
get put
> onto the PXE boot VLAN. Other unauthenticated client goes onto a "no
> access" VLAN (many places make this the same VLAN as the guest WiFi
> VLAN with internet access only, sometimes with a captive portal).
> Authenticated clients go onto the corporate VLAN.
> 2. (this can be in addition or instead of 1).  The PXE server itself
> will only serve known MAC addresses and/or requires a token/password
> to initiate the install.  Regardless, there's not huge utility to
> installing your personal machine with a corporate build from a PXE
> server, which you then can't use because you don;t have corporate
> credentials, but I suppose it may have some risk with regards to
> software licensing or builds containing other stuff you don't want
> strangers to access, so lockdowns can't hurt.
But MAC addresses can be faked, can?t they?

On Fri, Feb 23, 2018 at 11:25 AM, hw <hw at gc-24.de> wrote:
> But MAC addresses can be faked, can?t they?
Yes, someone can go to the trouble of obtaining a known corporate MAC
address and MAC-spoofing their personal device so they can PXE-boot a
corporate build on a VLAN that is otherwise useless.  If your
corporate build on it's own is precious enough in itself that you
worry about this eventuality, then make the build server insist on
authentication before the build initiates.

Richard Grainger wrote:
> On Fri, Feb 23, 2018 at 11:25 AM, hw <hw at gc-24.de> wrote:
> 
>> But MAC addresses can be faked, can?t they?
> 
> Yes, someone can go to the trouble of obtaining a known corporate MAC
> address and MAC-spoofing their personal device so they can PXE-boot a
> corporate build on a VLAN that is otherwise useless.  If your
> corporate build on it's own is precious enough in itself that you
> worry about this eventuality, then make the build server insist on
> authentication before the build initiates.
What?s the point in designing a security measure intended to prevent
unauthorized network access in such a way that it can be as easily
circumvented as it is to fake MAC addresses?