Threaded Mode | Linear Mode

sebastian · (This post was last modified: 2014-09-04 05:02 by sebastian.)

I dont Think thats is needed. Just configure your server to send a 401 everytime Authorization field is BLANK. Then you configure your PXE server to Always authenticate using some arbitary details (like username = guest, password = guest)

So when iPXE is loaded for first time, it will be asked to load like http://guest:guest@server.com/menu.php
This will result in iPXE firing off a blank GET request for menu.php which will be replied with a 401.
Then iPXE will authenticate using guest:guest. menu.php will then reply with the "Please login yourself" menu.
User authenticates.
iPXE will now fire off a second blank request, which iPXE will get a 401 for.
Then iPXE will fire off the request containing the auth from the user (let say username = admin, password = rootroot)

If auth is incorrect, your menu.php simply returns "Your username/password is incorrect" and a new login menu.
If auth is correct, your menu.php simply returns the admin menu or a chaining to a protected iSCSI resource or what you want to do.

Also, dont use menu.c32 and menu.php to select between unauthenticated and authenticated requests.
Instead, use only a "chain" to menu.php, and let menu.php return the content of menu.c32 when user are unauthenticated.

I Think this mandatory 401 is intentional to make sure to select correctly between basic auth and digest auth. To correctly select between these, you need to Query the server for the WWW-Authenticate header to know what the server request, like a browser does.