SPNEGO unavailability and error handling
timo.tunturi at aalto.fi
Tue Oct 1 05:51:46 EDT 2019
On 01/10/2019 11.58, Simon Lundström wrote:
> On Tue, 2019-10-01 at 08:25:54 +0200, Timo Tunturi wrote:
>> Nowadays we run the out-of-the-box SPNEGO from Shib IdP with just an
>> activation condition with a long list of networks of windows domain
>> -joined devices (Windows, Linux and MacOS) automatically updated from
>> our CMDB. The network list also contains machine-authenticated VPN
>> networks. On-site the domain joined devices are thrown into specific
>> networks based on 802.1X device authentication.
> Oooh, that's nice! No BYOD which uses the VPN and/or eduroam but isn't
> managed/joined to the AD then I guess?
Managed devices authenticate themselves automagically with a device
certificate which drops them into a network that is for managed devices.
Users can use BYOD devices and authenticate themselves to the VPN or
wifi with their personal credentials but that puts them into a BYOD network.
-- Timo Tunturi / Aalto University IT Services
More information about the users