CentOS - Mar 2018 - RADIUS

Stephen John Smoogen wrote:
> On 1 March 2018 at 08:42, hw <hw at gc-24.de> wrote:
> 
>>
>> I didn?t say I want that, and I don?t know yet what I want.  A captive
>> portal may
>> be nice, but I haven?t found a way to set one up yet, and I don?t have
an
>> access
>> point controller which would provide one, so I can?t tell if that?s the
>> right
>> solution.
>>
> 
> This is the problem with this entire thread in a nutshell. You don't
> know what you want but what you have articulated at various points is
> that you do know what you want. You then state something that won't
> work because of some factor or another. People then correct you on
> that, and you then get hostile because you were just thinking out loud
> but no one knew that. Thinking out loud works ok in real life because
> we give special queues like looking abstractly or being able to say
> "Oh no I am just thinking out loud" right away. Instead in email
none
> of that happens and people get more and more hostile and angry
> thinking the other side is trying to make them do completely opposite.
> 
> Let us try starting over. You may have answered these in other places,
> but people need to see them in one place at one time versus trying to
> look through cache of other emails.
> 
> What do you want?
I was asking for documentation telling me how RADIUS can be used, not only
that it can be used.
> What are your constraints? [AKA what have you been told to do.]
The task is to provide wireless coverage for employees and customers on
company premises.  It is desirable to be able to keep track of customers,
as in knowing where exactly on the premises they currently are (within
like 3--5 feet, which is apparently tough), and simpler things like knowing
how long they stay and if they have been on the premises before.  To avoid
legal issues, it is probably advisable that customers need to agree to
some sort of terms of usage.

It is desirable to be able to know where employees currently are, though
it doesn?t neeed to be as precise.
> When do you need it?
There?s no given time frame; it?s as soon as possible and preferably
this year.

It is necessary to (re-)do the entire network infrastructure before wireless
coverage can be achieved, one of the reasons being that it is currently
impossible to use VLANs all over the place.
> What is the environment that it is to run in?
a shopping area

Some of the wireless access points may need to take part in what is
apparently called a mesh to be able to supply remote parts of the premises.
> What research have you done (with references)?
I searched for documenation about how to actually use RADIUS and didn?t
find any.  I?ve asked for pointers to such documentation here.
I?ve read the RADUIS admin guide.  I?ve done a test setup by installing
RADIUS and configuring a switch to use it to authenticate users logging
into the switch via ssh and found it works fine.  I have set up a couple
access points in a test setup which currently provide wireless access for
employees and wireless internet access for customers around some points
of the premises.  I found out what a captive portal is.
> Then people will have a better ability to answer:
> What have others done to meet those needs?
> How have they implemented it?
> 
> Then ask
> What other things do you need for me to help?
> 
> People can then ask questions about things you didn't fully explain.
> This is helpful because going from the previous emails your phrasing
> made it sound like you needed unknown people to not be able to get
> onto the network until they were authenticated, but authentication
> requires them to be on a network, but you can't allow them to be on
> any network until they are authenticated. That may not be what you
> mean (on the other hand, I have had that conundrum given to me at a
> job and we had to spend 3 months convincing the boss(es) that was
> impossible with the tools we had (and probably impossible without)).
That is what using RADIUS apparently leads to when you have devices using
PXE boot.  Maybe they need to be considered as a security risk and be
replaced.

Unauthenticated people are easier to handle because people can provide
credentials for authentication without PXE booting them first and do not
access the network without a device (unless they mess with the very network
hardware, using cables to create loops or accidentially cutting them or
unplugging them or whatever --- people do all kinds of things, with
authentication and without ...).

Devices with network access are much more dangerous than unauthenticated
people because such devices could be used by such people to also gain network
access, or they could try to have bad effects on the network.

So everthing is dangerous, authenticated or not.

On 1 March 2018 at 12:26, hw <hw at gc-24.de>
wrote:
> Stephen John Smoogen wrote:
>>
>> On 1 March 2018 at 08:42, hw <hw at gc-24.de> wrote:
>>
>>>
>>> I didn?t say I want that, and I don?t know yet what I want.  A
captive
>>> portal may
>>> be nice, but I haven?t found a way to set one up yet, and I don?t
have an
>>> access
>>> point controller which would provide one, so I can?t tell if that?s
the
>>> right
>>> solution.
>>>
>>
>> This is the problem with this entire thread in a nutshell. You
don't
>> know what you want but what you have articulated at various points is
>> that you do know what you want. You then state something that won't
>> work because of some factor or another. People then correct you on
>> that, and you then get hostile because you were just thinking out loud
>> but no one knew that. Thinking out loud works ok in real life because
>> we give special queues like looking abstractly or being able to say
>> "Oh no I am just thinking out loud" right away. Instead in
email none
>> of that happens and people get more and more hostile and angry
>> thinking the other side is trying to make them do completely opposite.
>>
>> Let us try starting over. You may have answered these in other places,
>> but people need to see them in one place at one time versus trying to
>> look through cache of other emails.
>>
>> What do you want?
>
>
> I was asking for documentation telling me how RADIUS can be used, not only
> that it can be used.
>
>> What are your constraints? [AKA what have you been told to do.]
>
>
> The task is to provide wireless coverage for employees and customers on
> company premises.  It is desirable to be able to keep track of customers,
> as in knowing where exactly on the premises they currently are (within
> like 3--5 feet, which is apparently tough), and simpler things like knowing
> how long they stay and if they have been on the premises before.  To avoid
> legal issues, it is probably advisable that customers need to agree to
> some sort of terms of usage.
>
Oh yeah. Who ever gave you those marching orders needs to talk with
all kinds of lawyers... even researching for it might be problematic
in some countries due to a multitude of laws. You are walking out of
setting up a wireless environment into full-scale surveillance.

That said, what you are looking for is not going to be accomplished
with simple radius without a large amount of development. It is also
going to need a lot of wireless sensors running at different
frequencies through out the building. Most of that is done usually
with special commercial hardware/software and falls outside of scope
of this list by a mile.

RADIUS may be something that is done with all of this but only far way
back in the chain of tools needed. It might be something that the
specialized hardware, scanners, sensors, etc might tie into if they
don't have their own specialized tool. Worrying about it before those
are researched, etc is to use an English idiom: putting the cart
before the horse.
> It is desirable to be able to know where employees currently are, though
> it doesn?t neeed to be as precise.
>
>> When do you need it?
>
>
> There?s no given time frame; it?s as soon as possible and preferably
> this year.
>
> It is necessary to (re-)do the entire network infrastructure before
wireless
> coverage can be achieved, one of the reasons being that it is currently
> impossible to use VLANs all over the place.
>
>> What is the environment that it is to run in?
>
>
> a shopping area
>
> Some of the wireless access points may need to take part in what is
> apparently called a mesh to be able to supply remote parts of the premises.
>
>> What research have you done (with references)?
>
>
> I searched for documenation about how to actually use RADIUS and didn?t
> find any.  I?ve asked for pointers to such documentation here.
> I?ve read the RADUIS admin guide.  I?ve done a test setup by installing
> RADIUS and configuring a switch to use it to authenticate users logging
> into the switch via ssh and found it works fine.  I have set up a couple
> access points in a test setup which currently provide wireless access for
> employees and wireless internet access for customers around some points
> of the premises.  I found out what a captive portal is.
>
>> Then people will have a better ability to answer:
>> What have others done to meet those needs?
>> How have they implemented it?
>>
>> Then ask
>> What other things do you need for me to help?
>>
>> People can then ask questions about things you didn't fully
explain.
>> This is helpful because going from the previous emails your phrasing
>> made it sound like you needed unknown people to not be able to get
>> onto the network until they were authenticated, but authentication
>> requires them to be on a network, but you can't allow them to be on
>> any network until they are authenticated. That may not be what you
>> mean (on the other hand, I have had that conundrum given to me at a
>> job and we had to spend 3 months convincing the boss(es) that was
>> impossible with the tools we had (and probably impossible without)).
>
>
> That is what using RADIUS apparently leads to when you have devices using
> PXE boot.  Maybe they need to be considered as a security risk and be
> replaced.
>
OK I think this is where we are also getting confusion. PXE booting is
a multistep process to get a hardware device onto the network and
running a provided kernel. It is also something which usually only
works on wireless in controlled situations (aka magic).

So people aren't sure why you are wanting to PXE boot something a
customer would carry (aka a cell phone/tablet) since that does not PXE
boot at all. You might be meaning DHCP instead but maybe you are
meaning something else.

So the normal tools are to set up different LANs for different access.
On wired or wireless this is usually done with a dedicated network
which only devices which a) have a proven mac, b) use WPA-Enterprise
with radius to log in. For untrusted devices that might be looking for
any open lan, you have an open net which has a captive portal which
can 'kick' certain devices to a semi-trusted lan. [This is device
dependent so don't expect it to work for everyone.] Then you have a
semi-trusted lan which may have a guest password. It is still a
captive portal so that people on it are only able to get out after
they provided a second allowed password. The captive portals may be
backed by Radius, but it will depend on what software they are using.

[The above comes from doing this a decade ago.. things have changed so
please follow any new guidance/books on commercial wireless design.]
> Unauthenticated people are easier to handle because people can provide
> credentials for authentication without PXE booting them first and do not
> access the network without a device (unless they mess with the very network
> hardware, using cables to create loops or accidentially cutting them or
> unplugging them or whatever --- people do all kinds of things, with
> authentication and without ...).
>
> Devices with network access are much more dangerous than unauthenticated
> people because such devices could be used by such people to also gain
> network
> access, or they could try to have bad effects on the network.
>
> So everthing is dangerous, authenticated or not.
>
Everything is always dangerous :). It is good to recognize that
because a lot of times people just assume there is a magical
non-dangerous way and then spend all their time trying to find it. The
best we can do is find how to respond to the danger.



-- 
Stephen J Smoogen.

> > What do you want?
> 
> I was asking for documentation telling me how RADIUS can be used, not only
> that it can be used.
RADIUS is just an authentication (plus a bit more) protocol - what you
are asking is like asking how LDAP can be used. Usually it's treated
like a magic black box by applications in that one of the configuration
options is to "use a RADIUS server" and then you just configure the
necessary information in the client so it talks to the correct box. The
reason RADIUS is used rather than some other authentication protocol is
that it is designed to be used in a network authentication role.

Rather than focussing on the RADIUS aspect, you would probably be
better looking at the configuration and technology around how you want
the network to operate. The way the RADIUS server is used will be
obvious once you've sorted that out.
> 
> > What are your constraints? [AKA what have you been told to do.]
> 
> The task is to provide wireless coverage for employees and customers on
> company premises.  It is desirable to be able to keep track of customers,
> as in knowing where exactly on the premises they currently are (within
> like 3--5 feet, which is apparently tough),
Tough? I would say basically impossible. The only way of getting that
sort of accuracy is to either have lots of pico cells so you know which
AP a device is connected to, or be able to triangulate. WiFi has a
reasonable range and devices like to hang on to an AP for as long as
possible, even if they can pass off on to a closer more powerful one.

I know retailers are looking at targeting customers via their location,
but I think that currently needs the co-operation of the customer's
device via a downloaded app.
>  and simpler things like knowing
> how long they stay and if they have been on the premises before.
I can see now why you wanted to stop customers/employees from using
their 4G connection.
> 
> That is what using RADIUS apparently leads to when you have devices using
> PXE boot.  Maybe they need to be considered as a security risk and be
> replaced.
You mentioned X2Go and that your PXE booting clients used it. I know
X2Go and the client is a standalone app that uses ssh to login to the
server to initiate a remote desktop type environment.  There's nothing
in X2Go per se that requires a persistent network connection before
they connect. So, am I right in assuming that your PXE clients are
actually diskless machines that get all of their environment from the
network? 

P.

On 3/1/18 10:02 AM, Pete Biggs wrote:
>>> What are your constraints? [AKA what have you been told to do.]
>> The task is to provide wireless coverage for employees and customers on
>> company premises.  It is desirable to be able to keep track of
customers,
>> as in knowing where exactly on the premises they currently are (within
>> like 3--5 feet, which is apparently tough),
> Tough? I would say basically impossible. The only way of getting that
> sort of accuracy is to either have lots of pico cells so you know which
> AP a device is connected to, or be able to triangulate. WiFi has a
> reasonable range and devices like to hang on to an AP for as long as
> possible, even if they can pass off on to a closer more powerful one.
>
> I know retailers are looking at targeting customers via their location,
> but I think that currently needs the co-operation of the customer's
> device via a downloaded app.
There ARE companies that specialize in this type of thing.? It's really 
NOT a quicky-homebrew thing... Especially if one is staring with "tell 
me how to use <blank> AAA protocol".
>>   and simpler things like knowing
>> how long they stay and if they have been on the premises before.
> I can see now why you wanted to stop customers/employees from using
> their 4G connection.
One thing to keep in mind if this is in the US... Blocking cellular 
bands (and publicly accessible radio in general) is grossly illegal and 
a serious felony.
Marriott corporation tried it with WiFi and got smacked with a VERY 
large fine and I heard that some of the licensed radio engineers 
involved were also personally fined... They should have known better.

The commonly used technique is Bluetooth beacons... But the victims (er 
customers) HAVE to co operate.
>> That is what using RADIUS apparently leads to when you have devices
using
>> PXE boot.  Maybe they need to be considered as a security risk and be
>> replaced.
> You mentioned X2Go and that your PXE booting clients used it. I know
> X2Go and the client is a standalone app that uses ssh to login to the
> server to initiate a remote desktop type environment.  There's nothing
> in X2Go per se that requires a persistent network connection before
> they connect. So, am I right in assuming that your PXE clients are
> actually diskless machines that get all of their environment from the
> network?
>
> P.

Once upon a time, hw <hw at gc-24.de> said:
> The task is to provide wireless coverage for employees and customers on
> company premises.  It is desirable to be able to keep track of customers,
> as in knowing where exactly on the premises they currently are (within
> like 3--5 feet, which is apparently tough), and simpler things like knowing
> how long they stay and if they have been on the premises before.  To avoid
> legal issues, it is probably advisable that customers need to agree to
> some sort of terms of usage.
What you are talking about requires very specialized wifi setups, which
AFAIK no freely-available tools implement.  You need to be talking to
enterprise wifi hardware vendors to get that kind of thing.

RADIUS is an AAA (Authentication, Authorization, and Accounting)
protocol.  It might be one small tool used in authorization, like
letting employees on the network, but that would be up to the wifi
vendor's controller system (some can use RADIUS, some can use AD, some
use their own systems, etc.).

-- 
Chris Adams <linux at cmadams.net>

On 03/01/2018 09:26 AM, hw wrote:
> I was asking for documentation telling me how RADIUS can be used, not 
> only
> that it can be used.
RADIUS is a backend component of 802.1x and WPA2 Enterprise.? You appear 
to be looking for information on how to use those two.? If you look for 
documentation on those, you should be able to find what you're looking for.
> The task is to provide wireless coverage for employees and customers on
> company premises.? It is desirable to be able to keep track of customers,
> as in knowing where exactly on the premises they currently are (within
> like 3--5 feet, which is apparently tough), and simpler things like 
> knowing
> how long they stay and if they have been on the premises before.
You probably want to capture the WAP logs.? Their location will be best 
correlated with the specific WAP they connect to, assuming you have 
multiple.? The client MAC address will be your best indication of 
whether or not they've been there before.

Stephen John Smoogen wrote:
> On 1 March 2018 at 12:26, hw <hw at gc-24.de> wrote:
>> Stephen John Smoogen wrote:
>>>
>>> On 1 March 2018 at 08:42, hw <hw at gc-24.de> wrote:
>>>
>>>>
>>>> I didn?t say I want that, and I don?t know yet what I want.  A
captive
>>>> portal may
>>>> be nice, but I haven?t found a way to set one up yet, and I
don?t have an
>>>> access
>>>> point controller which would provide one, so I can?t tell if
that?s the
>>>> right
>>>> solution.
>>>>
>>>
>>> This is the problem with this entire thread in a nutshell. You
don't
>>> know what you want but what you have articulated at various points
is
>>> that you do know what you want. You then state something that
won't
>>> work because of some factor or another. People then correct you on
>>> that, and you then get hostile because you were just thinking out
loud
>>> but no one knew that. Thinking out loud works ok in real life
because
>>> we give special queues like looking abstractly or being able to say
>>> "Oh no I am just thinking out loud" right away. Instead
in email none
>>> of that happens and people get more and more hostile and angry
>>> thinking the other side is trying to make them do completely
opposite.
>>>
>>> Let us try starting over. You may have answered these in other
places,
>>> but people need to see them in one place at one time versus trying
to
>>> look through cache of other emails.
>>>
>>> What do you want?
>>
>>
>> I was asking for documentation telling me how RADIUS can be used, not
only
>> that it can be used.
>>
>>> What are your constraints? [AKA what have you been told to do.]
>>
>>
>> The task is to provide wireless coverage for employees and customers on
>> company premises.  It is desirable to be able to keep track of
customers,
>> as in knowing where exactly on the premises they currently are (within
>> like 3--5 feet, which is apparently tough), and simpler things like
knowing
>> how long they stay and if they have been on the premises before.  To
avoid
>> legal issues, it is probably advisable that customers need to agree to
>> some sort of terms of usage.
>>
> 
> Oh yeah. Who ever gave you those marching orders needs to talk with
> all kinds of lawyers... even researching for it might be problematic
> in some countries due to a multitude of laws. You are walking out of
> setting up a wireless environment into full-scale surveillance.
That?s not my problem to solve, but think about it:  You can get a lot more
information using CCTV cameras, and those are everywhere.  Unfortunately,
nobody cares, and it?s not like you have a choice.  So why would there
be any legal issues?
> That said, what you are looking for is not going to be accomplished
> with simple radius without a large amount of development. It is also
> going to need a lot of wireless sensors running at different
> frequencies through out the building. Most of that is done usually
> with special commercial hardware/software and falls outside of scope
> of this list by a mile.
RADIUS would only be a tool to use for authentication and perhaps accounting.
Figuring out where users are is an entirely different problem.
> RADIUS may be something that is done with all of this but only far way
> back in the chain of tools needed. It might be something that the
> specialized hardware, scanners, sensors, etc might tie into if they
> don't have their own specialized tool. Worrying about it before those
> are researched, etc is to use an English idiom: putting the cart
> before the horse.
I?m surprised that wireless access point controllers, by default, do not
use the strength of the signal received from a device by three or more access
points to simply triangulate the position of the device.  Of course, you
only get the positions of devices relative to access points, but once you
have that, you only need to use a map of the place that shows all the access
points and the positions of devices relative to them to figure out where
everyone is.

That?s a rather simple thing to do, isn?t it?  Some documentation of HPs MSRs
stated that the controller can distribute the wireless devices between access
points to even out the bandwidth, and if it can do that, it could as well
distribute them for triangulation.
>> It is desirable to be able to know where employees currently are,
though
>> it doesn?t neeed to be as precise.
>>
>>> When do you need it?
>>
>>
>> There?s no given time frame; it?s as soon as possible and preferably
>> this year.
>>
>> It is necessary to (re-)do the entire network infrastructure before
wireless
>> coverage can be achieved, one of the reasons being that it is currently
>> impossible to use VLANs all over the place.
>>
>>> What is the environment that it is to run in?
>>
>>
>> a shopping area
>>
>> Some of the wireless access points may need to take part in what is
>> apparently called a mesh to be able to supply remote parts of the
premises.
>>
>>> What research have you done (with references)?
>>
>>
>> I searched for documenation about how to actually use RADIUS and didn?t
>> find any.  I?ve asked for pointers to such documentation here.
>> I?ve read the RADUIS admin guide.  I?ve done a test setup by installing
>> RADIUS and configuring a switch to use it to authenticate users logging
>> into the switch via ssh and found it works fine.  I have set up a
couple
>> access points in a test setup which currently provide wireless access
for
>> employees and wireless internet access for customers around some points
>> of the premises.  I found out what a captive portal is.
>>
>>> Then people will have a better ability to answer:
>>> What have others done to meet those needs?
>>> How have they implemented it?
>>>
>>> Then ask
>>> What other things do you need for me to help?
>>>
>>> People can then ask questions about things you didn't fully
explain.
>>> This is helpful because going from the previous emails your
phrasing
>>> made it sound like you needed unknown people to not be able to get
>>> onto the network until they were authenticated, but authentication
>>> requires them to be on a network, but you can't allow them to
be on
>>> any network until they are authenticated. That may not be what you
>>> mean (on the other hand, I have had that conundrum given to me at a
>>> job and we had to spend 3 months convincing the boss(es) that was
>>> impossible with the tools we had (and probably impossible
without)).
>>
>>
>> That is what using RADIUS apparently leads to when you have devices
using
>> PXE boot.  Maybe they need to be considered as a security risk and be
>> replaced.
>>
> 
> OK I think this is where we are also getting confusion. PXE booting is
> a multistep process to get a hardware device onto the network and
> running a provided kernel. It is also something which usually only
> works on wireless in controlled situations (aka magic).
Oh I never thought of using it for wireless devices.
> So people aren't sure why you are wanting to PXE boot something a
> customer would carry (aka a cell phone/tablet) since that does not PXE
> boot at all. You might be meaning DHCP instead but maybe you are
> meaning something else.
When there?s a RADIUS server on the network, not only wireless devices
could/should use it.
> So the normal tools are to set up different LANs for different access.
> On wired or wireless this is usually done with a dedicated network
> which only devices which a) have a proven mac, b) use WPA-Enterprise
> with radius to log in. For untrusted devices that might be looking for
> any open lan, you have an open net which has a captive portal which
> can 'kick' certain devices to a semi-trusted lan. [This is device
> dependent so don't expect it to work for everyone.] Then you have a
> semi-trusted lan which may have a guest password. It is still a
> captive portal so that people on it are only able to get out after
> they provided a second allowed password. The captive portals may be
> backed by Radius, but it will depend on what software they are using.
> 
> [The above comes from doing this a decade ago.. things have changed so
> please follow any new guidance/books on commercial wireless design.]
Well, I don?t want to trust MAC addresses because they can be faked.
>> Unauthenticated people are easier to handle because people can provide
>> credentials for authentication without PXE booting them first and do
not
>> access the network without a device (unless they mess with the very
network
>> hardware, using cables to create loops or accidentially cutting them or
>> unplugging them or whatever --- people do all kinds of things, with
>> authentication and without ...).
>>
>> Devices with network access are much more dangerous than
unauthenticated
>> people because such devices could be used by such people to also gain
>> network
>> access, or they could try to have bad effects on the network.
>>
>> So everthing is dangerous, authenticated or not.
>>
> 
> Everything is always dangerous :). It is good to recognize that
> because a lot of times people just assume there is a magical
> non-dangerous way and then spend all their time trying to find it. The
> best we can do is find how to respond to the danger.
hm

Is sleeping dangerous?

Pete Biggs wrote:
> 
>>> What do you want?
>>
>> I was asking for documentation telling me how RADIUS can be used, not
only
>> that it can be used.
> 
> RADIUS is just an authentication (plus a bit more) protocol - what you
> are asking is like asking how LDAP can be used. Usually it's treated
> like a magic black box by applications in that one of the configuration
> options is to "use a RADIUS server" and then you just configure
the
> necessary information in the client so it talks to the correct box. The
> reason RADIUS is used rather than some other authentication protocol is
> that it is designed to be used in a network authentication role.
> 
> Rather than focussing on the RADIUS aspect, you would probably be
> better looking at the configuration and technology around how you want
> the network to operate. The way the RADIUS server is used will be
> obvious once you've sorted that out.
When I figure out how the network is supposed to operate, RADIUS might not
be needed, and useful functionality it could provide would not exist because
I couldn?t figure it in for I didn?t know any better.  I?d be doing a bad
job.

>>> What are your constraints? [AKA what have you been told to do.]
>>
>> The task is to provide wireless coverage for employees and customers on
>> company premises.  It is desirable to be able to keep track of
customers,
>> as in knowing where exactly on the premises they currently are (within
>> like 3--5 feet, which is apparently tough),
> 
> Tough? I would say basically impossible. The only way of getting that
Apparently Cisco can do it:

https://www.cisco.com/c/en/us/products/collateral/wireless/wireless-location-appliance/product_data_sheet0900aecd80293728.html
> sort of accuracy is to either have lots of pico cells so you know which
> AP a device is connected to, or be able to triangulate. WiFi has a
> reasonable range and devices like to hang on to an AP for as long as
> possible, even if they can pass off on to a closer more powerful one.
> 
> I know retailers are looking at targeting customers via their location,
> but I think that currently needs the co-operation of the customer's
> device via a downloaded app.
> 
>>   and simpler things like knowing
>> how long they stay and if they have been on the premises before.
> 
> I can see now why you wanted to stop customers/employees from using
> their 4G connection.
There is no point in offering wireless to customers when they aren?t
going to use it.
>> That is what using RADIUS apparently leads to when you have devices
using
>> PXE boot.  Maybe they need to be considered as a security risk and be
>> replaced.
> 
> You mentioned X2Go and that your PXE booting clients used it. I know
> X2Go and the client is a standalone app that uses ssh to login to the
> server to initiate a remote desktop type environment.  There's nothing
> in X2Go per se that requires a persistent network connection before
> they connect. So, am I right in assuming that your PXE clients are
> actually diskless machines that get all of their environment from the
> network?
They are, and they boot to where a user needs to enter a username and a
password to log in.  Perhaps that can be changed, but I?m glad that it
works as well as it does and am not inclined to touch it.  It seems rather
fragile, the documentation isn?t too great and you are left to your magic
guesswork about how it might work.

There are things that bother me like that you can not set a screen resolution
based on the user that logs in, and I had to set it to a fixed resolution for
all clients.  Replacing these devices rather than messing with them would have
some advantages --- and disadvantages.

Gordon Messmer wrote:
> On 03/01/2018 09:26 AM, hw wrote:
>> I was asking for documentation telling me how RADIUS can be used, not
only
>> that it can be used.
> 
> RADIUS is a backend component of 802.1x and WPA2 Enterprise.? You appear to
be looking for information on how to use those two.? If you look for
documentation on those, you should be able to find what you're looking for.
ok
>> The task is to provide wireless coverage for employees and customers on
>> company premises.? It is desirable to be able to keep track of
customers,
>> as in knowing where exactly on the premises they currently are (within
>> like 3--5 feet, which is apparently tough), and simpler things like
knowing
>> how long they stay and if they have been on the premises before.
> 
> You probably want to capture the WAP logs.? Their location will be best
correlated with the specific WAP they connect to, assuming you have multiple.?
The client MAC address will be your best indication of whether or not
they've been there before.
The location of customers would remain a problem because they could be
anywhere within a radius of about 100m around an access point they are
connected to.

Employees could use a program on their phones to help locating them, but
I have no idea how to program a phone.  It?s not like you could find
good documentation about that ...