Pete Biggs wrote:> >> MAC addresses could be faked. >> >>> The PXE protocol, as far as I can see, has no concept of authorisation >>> - although its certainly possible to introduce it after PXE has done >>> its bit (but before imaging or whatever). >>> >>> You may be better off with authenticating the DHCP using RADIUS, but >>> it's a complex process which, by its very nature, requires some form of >>> non-authenticated network access. >> >> So the solution might have to be not to use PXE-boot anymore. That would >> be a pity because it?s so convenient. >> > > PXE booting is nothing to do with installing or imaging machines. That > process is done *after* PXE booting. All the PXE does is to tell the > ethernet chip where to retrieve the PXE information from and what to > retrieve, which is then downloaded by TFTP.I know, and it?s still convenient.> A prerequisite for PXE is DHCP - by the time your device does anything > with PXE it's already accessed the network and got an IP address and so > on. There is absolutely no way to prohibit access to your network > without first allowing the device some access to your network in order > to authenticate. The normal way around this is to use VLANs to > segregate "dirty" unauthenticated machines - once it's authenticated it > is moved onto a different VLAN and a new DHCP request initiated.Suddenly moving the client to a different VLAN would have the same effect as unplugging the network cable: it would freeze until the connection is restored. Otherwise, the server would have to be reachable via several VLANs, which would make it pointless to use these VLANs.> There's lots of information on this on the net - Google for something > like 'PXE RADIUS' or 'PXE 802.1x' (hint: everyone uses VLANs).Ok.
> > > A prerequisite for PXE is DHCP - by the time your device does anything > > with PXE it's already accessed the network and got an IP address and so > > on. There is absolutely no way to prohibit access to your network > > without first allowing the device some access to your network in order > > to authenticate. The normal way around this is to use VLANs to > > segregate "dirty" unauthenticated machines - once it's authenticated it > > is moved onto a different VLAN and a new DHCP request initiated. > > Suddenly moving the client to a different VLAN would have the same effect as > unplugging the network cable: it would freeze until the connection is restored. > Otherwise, the server would have to be reachable via several VLANs, which would > make it pointless to use these VLANs.It depends on at which point you switch VLANs. If you use authenticated DHCP then the process is to get an IP address on a dirty VLAN, authenticate, switch VLAN, get a new IP address, boot to PXE. There are extensions in the DHCP protocol to accommodate this. It's also possible that the PXE environment can deal with the authentication - PXE runs solely on the local machine, so it doesn't care about VLANs changing so long as when it wants to do something it has a valid IP address for the VLAN it is assigned to. And at this point, I think this is no longer CentOS related. If you can't find out what you need on the net, you need to hire a network consultant to deal with it. Asking a zillion random questions on a mailing list just because you can't find or understand the information elsewhere and fighting against the answers you are given is not very productive for anyone. P.
Pete Biggs wrote:> >> >>> A prerequisite for PXE is DHCP - by the time your device does anything >>> with PXE it's already accessed the network and got an IP address and so >>> on. There is absolutely no way to prohibit access to your network >>> without first allowing the device some access to your network in order >>> to authenticate. The normal way around this is to use VLANs to >>> segregate "dirty" unauthenticated machines - once it's authenticated it >>> is moved onto a different VLAN and a new DHCP request initiated. >> >> Suddenly moving the client to a different VLAN would have the same effect as >> unplugging the network cable: it would freeze until the connection is restored. >> Otherwise, the server would have to be reachable via several VLANs, which would >> make it pointless to use these VLANs. > > It depends on at which point you switch VLANs. If you use authenticated > DHCP then the process is to get an IP address on a dirty VLAN, > authenticate, switch VLAN, get a new IP address, boot to PXE. There > are extensions in the DHCP protocol to accommodate this.Like using MAC addresses?> It's also possible that the PXE environment can deal with the > authentication - PXE runs solely on the local machine, so it doesn't > care about VLANs changing so long as when it wants to do something it > has a valid IP address for the VLAN it is assigned to. > > And at this point, I think this is no longer CentOS related. If you > can't find out what you need on the net, you need to hire a network > consultant to deal with it. Asking a zillion random questions on a > mailing list just because you can't find or understand the information > elsewhere and fighting against the answers you are given is not very > productive for anyone.This hasn?t been Centos related to begin with, and I didn?t ask for a discussion but only for a pointer to documentation. My questions are not random, and perhaps the mailing list should better be closed so noone can ask anything.