topic Re: TEAP and Macs in Network Access Control

TEAP and Macs

fitzie — Tue, 05 Apr 2022 21:31:00 GMT

Has their been any progress/update on the possibility of OS X supporting TEAP (RFC 7170)?

Re: TEAP and Macs

Arne Bier — Tue, 05 Apr 2022 22:34:29 GMT

Currently there is no need for this feature on Apple MACOS. As far as I am aware, there is no distinction between Computer and User authentication on MACOS. In the Windows world there is - and that is why EAP Chaining is such a big deal.

The MACOS supplicants can be configured with other Methods like EAP-TLS, EAP-PEAP, EAP-TTLS and any RADIUS server can handle them as "business as usual".

Re: TEAP and Macs

fitzie — Thu, 28 Apr 2022 21:13:42 GMT

I don't necessarily agree with your statement that there is no need for this feature in OS X, as I want to be able to use both the machine identity and the user identity for different aspects of NAC. Haing a singular approach in an environment where both Macs and WIndows machines exist as end-user devices is preferable to having two disparate methods which don't behave in the same way. Without going into the details/reauirements of my environment, can easily state that my Mac users have a much harder time with it than my Windows users. Not all business is usual.

Re: TEAP and Macs

Arne Bier — Thu, 28 Apr 2022 22:44:47 GMT

@fitzie - I agree that it would be nice to " ... be able to use both the machine identity and the user identity for different aspects of NAC." - but my point was that as far as I know, MACOS does not have that concept - Windows desktop operating systems were designed to be used in enterprise environments with the clear distinction between computer and user auth as part of the Active Directory domain concept. Do you know for a fact that MACOS has this ability as well? i.e. have you seen the supplicant perform differentiated authentication depending on whether the user is logged in or logged out?

Re: TEAP and Macs

Barney — Thu, 08 Dec 2022 10:37:57 GMT

Hello,

I was playing with MacOS EAP-TLS authentication and tried to solve machine authentication. I was able to authenticate with machine cert of the MacOS but... regardless of location of the machine cert (login / system key chain) I saw from the Cisco ISE logs that the authentication was always IsMachineIdentity false so I had to do a trick. Generated a machine cert with SAN host/HOSTNAME. When the host/ prefix was included in the SAN the ISE started to authenticate with parameter IsMachineIdentity true. Just then it started to search for a computers in AD.

But still. When I tried to do a similar tests like on Windows platform I was not successful. A very basic test. When I turned on the MacOS and I saw the prompt to login to the system I still was not authenticated by machine cert. So the MacOS was not assigned to vlan and did not have an IP address. When I entered the login credentials just then MacOS reached the keychain and authenticated to network.

Within Windows platform, when you are asked to login, the Windows is already ready to use machine cert to authenticate based on machine identity. And then when you enter your credentials the user auth is in place. With TEAP, combined as one authentication machine+user.

I thought that login/system key chain (in MacOS world) is equivalent of user/computer (Windows world) cert store. But this is not so true or maybe I just do not understand the concept. I have went through a lot of articles regarding this MacOS user/computer auth and EAP chaining topic and it caused me a serious head aches. 🙂

So I am not sure if there is such a concept like computer authentication in the MacOS world.

If anybody knows how it works I would be glad for any info, just for my curiosity.

Re: TEAP and Macs

ahollifield — Thu, 08 Dec 2022 13:37:14 GMT

There is no concept of a "machine account" in MacOS. There are a "system" and "user" certificate keychains but this is not the same as the Windows machine account concept.

Re: TEAP and Macs

thomas — Fri, 16 Dec 2022 00:09:53 GMT

I am not aware of any plans for Apple to support the TEAP protocol on any of their platforms.