https://community.cisco.com/t5/network-access-control/apple-macs-in-the-sda-world/m-p/4737105#M578782 <P>Hi.&nbsp; Looking for some suggestions as to how to deal with Apple MAC authentication in the SDA world.</P><P>I have an enterprise VN that handles Windows, Chromebooks, and Apple MACs, using EAP-TLS for authentication, and Authorization policies assigning SGTs based on device or user AD groups.</P><P>Windows &amp; Chromebooks work great - when first connected to the wired or wireless network they authenticate with Machine certificates and get machine related SGTs assigned.&nbsp; Once the user logs in, it re-authenticates using the User cert, and a User related SGT is assigned.</P><P>How can I get Apple MACs to behave in a similar way?&nbsp; Currently, I can get them to auth with Machine certs, but then I can't assign any User related SGTs so User based policies are useless.&nbsp; Or, I can auth with User cert, but then the machine can't connect to the network until after someone is already logged in.&nbsp; Device based SGTs don't work with User identity policies</P><P>I can't be the only one trying to do this sort of thing...</P><P>Any suggestions appreciated.</P> Mon, 12 Dec 2022 14:04:34 GMT ianjgrant 2022-12-12T14:04:34Z https://community.cisco.com/t5/network-access-control/apple-macs-in-the-sda-world/m-p/4737105#M578782 <P>Hi.&nbsp; Looking for some suggestions as to how to deal with Apple MAC authentication in the SDA world.</P><P>I have an enterprise VN that handles Windows, Chromebooks, and Apple MACs, using EAP-TLS for authentication, and Authorization policies assigning SGTs based on device or user AD groups.</P><P>Windows &amp; Chromebooks work great - when first connected to the wired or wireless network they authenticate with Machine certificates and get machine related SGTs assigned.&nbsp; Once the user logs in, it re-authenticates using the User cert, and a User related SGT is assigned.</P><P>How can I get Apple MACs to behave in a similar way?&nbsp; Currently, I can get them to auth with Machine certs, but then I can't assign any User related SGTs so User based policies are useless.&nbsp; Or, I can auth with User cert, but then the machine can't connect to the network until after someone is already logged in.&nbsp; Device based SGTs don't work with User identity policies</P><P>I can't be the only one trying to do this sort of thing...</P><P>Any suggestions appreciated.</P> Mon, 12 Dec 2022 14:04:34 GMT https://community.cisco.com/t5/network-access-control/apple-macs-in-the-sda-world/m-p/4737105#M578782 ianjgrant 2022-12-12T14:04:34Z https://community.cisco.com/t5/network-access-control/apple-macs-in-the-sda-world/m-p/4737131#M578783 <P>There is no concept of a "machine" account in MacOS.&nbsp; It is either/or exactly as you describe.&nbsp; Apple also does not allow third-party developers access to the network stack so there is no option for a third-party supplicant either.&nbsp; Macs simply aren't designed for use in an enterprise environment.</P> <P>Typically you would couple a user certificate authentication with an MDM attribute to establish both user + machine trust.</P> Mon, 12 Dec 2022 14:30:56 GMT https://community.cisco.com/t5/network-access-control/apple-macs-in-the-sda-world/m-p/4737131#M578783 ahollifield 2022-12-12T14:30:56Z https://community.cisco.com/t5/network-access-control/apple-macs-in-the-sda-world/m-p/4737166#M578785 <P>Can you expand on this part: 'Typically you would couple a user certificate authentication with an MDM attribute to establish both user + machine trust'</P><P>As EAP-TLS is the authentication protocol of choice, how do you trust the machine when the User is not logged in?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Mon, 12 Dec 2022 15:14:39 GMT https://community.cisco.com/t5/network-access-control/apple-macs-in-the-sda-world/m-p/4737166#M578785 ianjgrant 2022-12-12T15:14:39Z