Re: NetworkManager-0.8.1 and computerauthentication



 Hello all,

I see that Ubuntu mistakenly do that. http://ubuntuforums.org/showthread.php?t=2202941 Sending "host/machine_name" mistakenly then I see that it is achieved NetworkManager but i am trying to figure out how can i do that on rhel since rhel NetworkManager on RHEL6 uses at /etc/NetworkManager/NetworkManager.conf
[main]
plugins=ifcfg-rh


which uses /etc/sysconfig/network-scripts/ifcfg-* script files.

Regards.


On Fri, Apr 4, 2014 at 5:53 AM, Michael Butash <michael butash net> wrote:
Not as far as I have been able to tell per how windoze handles it.  I asked this a while back, and short answer is no.

Working in an enterprise wireless environment, of course windoze does this (only at boot/logout), macs do this too (somewhat poorly), but there is nothing analogous in linux directly.  I worked with setting up a system-level profile (using the "All users may connect to this network" setting under the profile) for machine certs gotten from M$ Ent CA that would be used by default, but honestly I couldn't get NM to work right with the certs and gave up before leaving the company.

I found prior ubuntu 12.04 wouldn't for whatever reason invoke that profile without login, bumping it up to 13.10 fixed it, so ymmv here too.  In theory, using a general "machine" or system profile should get the system online, and if doing role derivation ala Clearpass/ISE, should stick you in a suitable quarantine/restricted access to AD, and then once a user logs in, would then switch profiles to theirs specifically for full access.  I never got to see this fully work due to apparently certificate bugs with NM for eap-tls, but that's another discussion.

I'd love to see this work, we had to do some hacks to get linux users on wireless, as part of our eap server policy was verifying the asset by machine auth, or an MDM in it's place.  Since linux really doesn't do or have either, we ended up fudging it in as an MDM-trusted asset for blind trust and staying with PEAP passwords, but in a 3500 user company with 10 linux users, it was good enough. 

Using machine authentication is almost worse anyways, as no client handles the transition well when role determines vlan access at the controller at a L2 level, even windoze without specifically coa bouncing the association hard (dhcp needs a link down/up to readdress).  The whole business was messy honestly, and just taught me not to rely on machine auth.

It's be great to see this work still, but maybe something a company like Likewise/Powerbroker or Centrify can handle to emulate gpo-ish machine auth function like that for enterprise desktop linux to transition back and forth from computer or user credentials, hopefully working better than either win or mac.

-mb



On 04/03/2014 07:00 AM, Omer Faruk SEN wrote:
Hello,

I want to ask how can i use "Computer Authentication" on NetworkManager-0.8.1. Is this a supported mode? If so where can i configure it on the NM GUI?

I am using RHEL 6.5 and I use NetworkManager-0.8.1-66.el6.x86_64

I want to state that RHEL 6.5 has joined to Microsoft AD environment. On Windows environment we have :



As far as I see this is not possible on NM on any version but wanted to check it.

Regards.




_______________________________________________
networkmanager-list mailing list
networkmanager-list gnome org
https://mail.gnome.org/mailman/listinfo/networkmanager-list


_______________________________________________
networkmanager-list mailing list
networkmanager-list gnome org
https://mail.gnome.org/mailman/listinfo/networkmanager-list




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]