topic Re: MAC computer as a AD domain machine in Network Access Control

MAC computer as a AD domain machine

yongwli — Wed, 05 Jul 2017 14:42:18 GMT

Hi Team,

Customer would like to know a MAC computer is an AD domain machine or not. And define different policy based on it. How can we do it in ISE? We found MAC did not send host authentication in ISE live log. And no register table to check it’s domain computer or not.

Your help will be very appreciated!

Thanks

Re: MAC computer as a AD domain machine

howon — Wed, 05 Jul 2017 14:52:18 GMT

You can use AD probe's 'AD-Hosts-Exists' attribute to automatically create an endpoint group. Once created you can use it in your AuthZ policy to provide different AuthZ profile.

Re: MAC computer as a AD domain machine

paul — Thu, 06 Jul 2017 04:19:57 GMT

The AD Host Exists flag in checking to see if the reverse lookup for the IP learned is an object in AD. That is a decent indicator that the device is probably a domain joined object.

You can definitely get Macs that are joined to the domain to present domain computer credentials during PEAP authentication. If they are using JAMF/Casper to manage their Macs this is pretty straight forward and documented here:

https://www.jamf.com/jamf-nation/discussions/8721/802-1x-machine-based-authentication

If they aren't managing the Macs with JAMF they can use that article as a guide to manually configuring the Macs to do this. It isn't easy but doable without JAMF.

Re: MAC computer as a AD domain machine

yongwli — Thu, 06 Jul 2017 15:26:07 GMT

do you have any docs to show how to do it? I mean AD-probe and automatically add endpoint into a group, does it need API to do it? many thanks.

Re: MAC computer as a AD domain machine

paul — Thu, 06 Jul 2017 15:58:04 GMT

Use the JAMF link I provided as a guide. There are other links out there if you Google PEAP Computer Auth OSX.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: MAC computer as a AD domain machine

yongwli — Fri, 07 Jul 2017 07:27:19 GMT

thank you, let me try it first.

Re: MAC computer as a AD domain machine

Alex Pfeil — Tue, 28 Nov 2017 18:08:27 GMT

I was looking at the live Radius log, and I do not see the AD probe returning AD-Host-Exists. I see it returning all of the other probes. Does it have to be a functional 2012 domain, or is there something else I could have missed?

Thanks,

Alex

Re: MAC computer as a AD domain machine

paul — Wed, 29 Nov 2017 02:44:25 GMT

Is ISE learning the hostname of the Mac from DHCP or FQDN from DNS profiler (if you have it enabled… you should0?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: MAC computer as a AD domain machine

Alex Pfeil — Wed, 29 Nov 2017 03:01:49 GMT

It ended up being that the profile I created had less points than another profile. I changed the point assignment in the profile condition that I created. I thought I would see the AD-Host-Exists in the authentication because I was seeing the 5 other AD attributes.

Thanks for your response.

Alex