This is an automated archive.
The original was posted on /r/sysadmin by /u/tinker-rar on 2024-01-22 11:18:42+00:00.
Computer Objects for Entra-joined clients
At work we are facing the following problem.
There hasn’t been proper communication between different teams so the networking team bought a NAC software (macmon) to do 802.11X authentication. Macmon relies on AD computer objects to do EAP-TLS Auth. Unfortunately macmon does not support EAP-TLS for User certificates.
This is a problem because the team which manages workstations decided they‘ll only do Entra-join from now on and not hybrid-join.
Is there anything we could do to make this work? It has come to my attention that there might be an upcoming feature that may support our scenario but I couldn’t find any announcement from microsoft.
The only scenarios I see, that are possible right now, are:
- go back to only On-Premises joined Machines so they can get a Computer Cert from our PKI and do EAP-TLS machine auth.
- Ditch Macmon and build a NPS radius server which does EAP-TLS authentication without checking the AD for a computer object. The certificates would be issued over the Intune Certificate connector.
Looking forward to hear your thoughts on this.