Machine authentication and dynamic dns for AD


I was curious if the RH or other contributors have investigated adding os-level machine auth support into NM, or proper dynamic dns client support to register with AD. I know it's a bit chicken and egg, considering nm has no identity at boot, but needs to be a handoff from system to user, and possibly depending on coa state, might transition hosts while a user is logged in back to machine auth (posture/ids state says coa/quarantine them).

Dealing with a large enterprise wireless deployment recently with largely win and mac clients, they are sorely missing in networking function in Linux pertaining to "typical" deployment scenarios. I was surprised as lacking as I find mac osx to be, they had to adapt to "enterprise standard" and include ddns and machine auth features as well, though machine auth support seems flawed at best, unreliable at worst. We ended up using Jamf as a mdm component to work around it, but sadly linux has to equivalent there either.

I represent a growing contingent of linux desktop/laptop users in my org, so I'm digging a bit and finding little pertaining to either being supported, implemented, or hacked in. I've never been to concerned as I've either not had enterprise-wide wireless or been consulting not to need it mostly, but in this fte gig I'm finding it a hindrance to adoption.

Another real annoyance I found was storing of my domain pass in the keyfiles for nm plain-text. Insert sad face, gnome keyring/kerberos not suitable for this for peap/mschap functions? I'm migrating to certs, but this comes with its own issues with M$ infrastructure. SCEP function, sadly again like mac, would be a nice consideration at some point for attaining certs.

These are pretty large barriers for linux in the enterprise these days.

Thanks in advance!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]