SPNEGO unavailability and error handling

Timo Tunturi timo.tunturi at aalto.fi
Tue Oct 1 05:51:46 EDT 2019

On 01/10/2019 11.58, Simon Lundström wrote:
> On Tue, 2019-10-01 at 08:25:54 +0200, Timo Tunturi wrote:
>> Nowadays we run the out-of-the-box SPNEGO from Shib IdP with just an
>> activation condition with a long list of networks of windows domain
>> -joined devices (Windows, Linux and MacOS) automatically updated from
>> our CMDB. The network list also contains machine-authenticated VPN
>> networks. On-site the domain joined devices are thrown into specific
>> networks based on 802.1X device authentication. 
> Oooh, that's nice! No BYOD which uses the VPN and/or eduroam but isn't 
> managed/joined to the AD then I guess?

Managed devices authenticate themselves automagically with a device 
certificate which drops them into a network that is for managed devices.

Users can use BYOD devices and authenticate themselves to the VPN or 
wifi with their personal credentials but that puts them into a BYOD network.

-- Timo Tunturi / Aalto University IT Services

More information about the users mailing list