https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3864696#M472639 Isn't there a pre-auth ACL to work for all computers?<BR />What about machine certs?<BR /> Wed, 29 May 2019 19:28:54 GMT Jason Kunst 2019-05-29T19:28:54Z https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3863410#M472636 <P>When a computer is sitting at the login screen, user authentication will not work and the machine will be kicked off the network without having a failback for machine pre-auth</P><P>&nbsp;</P><P>We currently have a policy that has a condition for "Domain Computers" and gives them access to the corporate VN as well as a dACL for limited access to DNS, DHCP and AD.</P><P>&nbsp;</P><P>This seems to work great for Windows machines, but our major problem right now is with Apple Mac computers.</P><P>Even though they are bound to AD, the Mac computers do not advertise themselves and being members of “Domain Computers” so this machine authentication policy does not work.</P><P>&nbsp;</P><P>Does anyone have a recommendation for setting up a similar machine authentication policy for Mac computers so they do not get kicked off the network when sitting at the login window?</P><P>&nbsp;</P><P>Possible solutions that I would like to avoid:</P><UL><LI>Giving pre-auth to all Apple Computers based on OUI MAC</LI><LI>Using MDM to set Login Window Mode (we have tried this in a limited capacity and MDM is unreliable and complex to set up)</LI></UL> Mon, 27 May 2019 14:31:41 GMT https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3863410#M472636 scsc_tech 2019-05-27T14:31:41Z https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3864696#M472639 Isn't there a pre-auth ACL to work for all computers?<BR />What about machine certs?<BR /> Wed, 29 May 2019 19:28:54 GMT https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3864696#M472639 Jason Kunst 2019-05-29T19:28:54Z https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3864700#M472642 Like <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/199790">@Jason Kunst</a> mentioned machine certs and certain conditions could do the trick. Why do you want to avoid this:<BR />Giving pre-auth to all Apple Computers based on OUI MAC<BR /><BR />If you have profiling in use technically you could utilize the AD-Probe and setup a scenario like this:<BR />Parent Policy (Policy1) leverages and uses AD-Host-Exists EQUALS true. Then create a child policy(Policy-1-Child) that matches based on OUI MAC or some other attribute you can narrow down to your apple computers. Then use the profiled endpoint group in your condition to meet your requirement. Then you would know that any host profiled as Policy-1-Child (or whatever you name it) is a member of AD and an apple comp.<BR /> Wed, 29 May 2019 19:40:49 GMT https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3864700#M472642 Mike.Cifelli 2019-05-29T19:40:49Z https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3864736#M472643 <P>Hey Mike</P><P>I appreciate this response. Its the first time someone has presented this as a possible solution.</P><P>I have not used AD-Probe before for profiling. Do you know the syntax? Is it AD-Host-Exists EQUALS true?</P><P>&nbsp;</P><P>I checked my deployment and see that AD probe is enabled. But when I look an an endpoint detail, I dont see AD-Host-Exists as a attribute</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="attributes.png" style="width: 186px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/37673iF9D7C11A9662D69E/image-size/medium?v=v2&amp;px=400" role="button" title="attributes.png" alt="attributes.png" /></span></P> Wed, 29 May 2019 21:08:06 GMT https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3864736#M472643 scsc_tech 2019-05-29T21:08:06Z https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3865123#M472644 Ensure that you are getting the host-name option from DHCP options. Check your sensor and ensure that option name host-name is configured. Thu, 30 May 2019 12:24:32 GMT https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3865123#M472644 Mike.Cifelli 2019-05-30T12:24:32Z https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3865136#M472693 <P>I am getting host-name in the attributes.&nbsp;</P><P>I tried profiling based on AD-host-exists equals true and I don't see the devices getting profiled correctly in live logs&nbsp;</P> Thu, 30 May 2019 13:13:30 GMT https://community.cisco.com/t5/network-access-control/preauthorizing-apple-computers-at-login-screen/m-p/3865136#M472693 scsc_tech 2019-05-30T13:13:30Z