On 10/13/10 3:59 PM, Shawn A. Geddis wrote:
Organizations apply policy such as requiring smart cards by managing their AD. This is not something that they would do at the client side. What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC).
The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards. Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service.
Shawn I could definitely see a use case for smartcard only at console to require two-factor authentication for a client box. I see a different use case for requiring only a smartcard ever for that account. I could certainly see a different use depending on what type of data the client processes and whether it is a mobile workstation or a smartphone. On or off for the user account only is not sufficient. -- *************************************************************** Ron Colvin CISSP, CEH Enterprise Integration Engineer, Security Analyst Code 700 DCSE Code 100& 110 NASA - Goddard Space Flight Center <ron.colvin@nasa.gov> Direct phone 301-286-2451 NASA Jabber (rdcolvin@im.nasa.gov) AIM rcolvin13 NASA LCS (ronald.d.colvin@nasa.gov) ****************************************************************