Re: NetworkManager-0.8.1 and computerauthentication
- From: Dan Williams <dcbw redhat com>
- To: Omer Faruk SEN <omerfsen gmail com>
- Cc: networkmanager-list gnome org
- Subject: Re: NetworkManager-0.8.1 and computerauthentication
- Date: Mon, 07 Apr 2014 11:58:31 -0500
On Fri, 2014-04-04 at 12:07 +0300, Omer Faruk SEN wrote:
Hello all,
I see that Ubuntu mistakenly do that.
http://ubuntuforums.org/showthread.php?t=2202941 Sending
"host/machine_name" mistakenly then I see that it is achieved
NetworkManager but i am trying to figure out how can i do that on rhel
since rhel NetworkManager on RHEL6 uses at
/etc/NetworkManager/NetworkManager.conf
[main]
plugins=ifcfg-rh
which uses /etc/sysconfig/network-scripts/ifcfg-* script files.
NetworkManager sends whatever you want it to send, so if you have a
connection profile stored in /etc/sysconfig/network-scripts/, you can
set the username in the ifcfg file with:
IEEE_8021X_IDENTITY="whatever you want"
The password goes into a "keys-<name>" file with the same suffix as the
parent ifcfg-<name> file, so it would be:
IEEE_8021X_PASSWORD="the password you want"
note that the 'keys' files must be 0600 permissions, so even though the
password is saved there, it is not accessible to users unless that user
has permissions to edit system connections through PolicyKit.
There are more examples if ifcfg/keys files at:
http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/settings/plugins/ifcfg-rh/tests/network-scripts
Let us know if you have any more questions!
Dan
Regards.
On Fri, Apr 4, 2014 at 5:53 AM, Michael Butash <michael butash net> wrote:
Not as far as I have been able to tell per how windoze handles it. I
asked this a while back, and short answer is no.
Working in an enterprise wireless environment, of course windoze does this
(only at boot/logout), macs do this too (somewhat poorly), but there is
nothing analogous in linux directly. I worked with setting up a
system-level profile (using the "All users may connect to this network"
setting under the profile) for machine certs gotten from M$ Ent CA that
would be used by default, but honestly I couldn't get NM to work right with
the certs and gave up before leaving the company.
I found prior ubuntu 12.04 wouldn't for whatever reason invoke that
profile without login, bumping it up to 13.10 fixed it, so ymmv here too.
In theory, using a general "machine" or system profile should get the
system online, and if doing role derivation ala Clearpass/ISE, should stick
you in a suitable quarantine/restricted access to AD, and then once a user
logs in, would then switch profiles to theirs specifically for full
access. I never got to see this fully work due to apparently certificate
bugs with NM for eap-tls, but that's another discussion.
I'd love to see this work, we had to do some hacks to get linux users on
wireless, as part of our eap server policy was verifying the asset by
machine auth, or an MDM in it's place. Since linux really doesn't do or
have either, we ended up fudging it in as an MDM-trusted asset for blind
trust and staying with PEAP passwords, but in a 3500 user company with 10
linux users, it was good enough.
Using machine authentication is almost worse anyways, as no client handles
the transition well when role determines vlan access at the controller at a
L2 level, even windoze without specifically coa bouncing the association
hard (dhcp needs a link down/up to readdress). The whole business was
messy honestly, and just taught me not to rely on machine auth.
It's be great to see this work still, but maybe something a company like
Likewise/Powerbroker or Centrify can handle to emulate gpo-ish machine auth
function like that for enterprise desktop linux to transition back and
forth from computer or user credentials, hopefully working better than
either win or mac.
-mb
On 04/03/2014 07:00 AM, Omer Faruk SEN wrote:
Hello,
I want to ask how can i use "Computer Authentication" on
NetworkManager-0.8.1. Is this a supported mode? If so where can i configure
it on the NM GUI?
I am using RHEL 6.5 and I use NetworkManager-0.8.1-66.el6.x86_64
I want to state that RHEL 6.5 has joined to Microsoft AD environment. On
Windows environment we have :
As far as I see this is not possible on NM on any version but wanted to
check it.
Regards.
_______________________________________________
networkmanager-list mailing listnetworkmanager-list gnome
orghttps://mail.gnome.org/mailman/listinfo/networkmanager-list
_______________________________________________
networkmanager-list mailing list
networkmanager-list gnome org
https://mail.gnome.org/mailman/listinfo/networkmanager-list
_______________________________________________
networkmanager-list mailing list
networkmanager-list gnome org
https://mail.gnome.org/mailman/listinfo/networkmanager-list
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
