topic Re: Cisco ISE and MacBook in Network Access Control

Cisco ISE and MacBook

BruceR214 — Fri, 26 Apr 2024 12:36:17 GMT

I am looking for pointers from the community as I have very little experience with Macbooks. We have previously only dealt with Windows clients and they happily authenticate as a device using EAP-TLS to AD over wired and wireless. In our experience, Macbooks do not play well with AD so I am looking for an alternative solution.

I would like to get the Macbook to authenticate to Cisco ISE itself, but I also have the problem that we use Ruckus WiFi which cannot do URL redirect. So the usual solutions become hard to implement as they all seem to need a workflow involving URL-redirect.

Is there a simple way to get the Macbook registered with Cisco ISE so that it can authenticate as a device ? I do not mind a manual process as we only have a few Macbooks.

Thanks for reading

Re: Cisco ISE and MacBook

ahollifield — Fri, 26 Apr 2024 12:54:53 GMT

How are the MacBooks managed? You should have an MDM solution for them. Use said MDM to push certificates to the MacBooks and do EAP-TLS authentication with those certificates to ISE. If you also want Posture/compliance checks, integrate that MDM with ISE.

Re: Cisco ISE and MacBook

BruceR214 — Fri, 26 Apr 2024 12:56:22 GMT

We have them on Intune currently, and we can push SCEP certificates to them.

Re: Cisco ISE and MacBook

ahollifield — Fri, 26 Apr 2024 12:58:48 GMT

Perfect. Use InTune to push a SCEP enrollment profile to them to obtain a certificate from the PKI. Use InTune to configure the wired/wireless on the MacBook to authenticate with EAP-TLS to ISE.

If you want compliance checks as well then integrate InTune with ISE. https://cs.co/ise-berg#Intune

Re: Cisco ISE and MacBook

BruceR214 — Fri, 26 Apr 2024 13:36:07 GMT

OK, sounds good.

I have never used SCEP before, but I can see that the certificate does get to the MacBook.

When the MacBook tries to authenticate, where should ISE check the certificate against. For a Windows PC it checks with the AD Computer object.

Also, is is possible for the MacBook to connect to WiFi before the user login happens ?

Re: Cisco ISE and MacBook

ahollifield — Fri, 26 Apr 2024 13:50:56 GMT

It can if you have an AD object created for that. If not then you can choose to rely on the certificate trust itself to validate device ownership. This depends on how secure your PKI environment is, where its exposed, who can enroll a certificate, keys non-exportable etc. This is where InTune comes back into play as well. If you don't have an AD object to check against, you can have ISE check against InTune for the existence of that MacBook as your "second factor" other than the existence of the certificate itself.

It is not. Wireless has no concept of an "open mode". Most of my customers use dedicated, physically protected "build ports" that do not have any authentication commands on them for the sole purpose of provisioning/imaging computers. Some other of my customers use the guest network for provisioning through things like AutoPilot.

Re: Cisco ISE and MacBook

BruceR214 — Fri, 26 Apr 2024 15:23:32 GMT

Thanks for all this information, I will be trying it out next week.

Re: Cisco ISE and MacBook

00u17 — Sun, 29 Jun 2025 14:52:43 GMT

@ahollifield

We're looking to achieve machine and user authentication for our MacBooks, much like how we currently secure our Windows fleet. Our goal is to do this without deploying an MDM solution like Jamf.

Here's our main concern: If we settle for a user-only authentication policy for Macs, could that create a security vulnerability that eventually impacts our Windows machines as well? Is this a valid worry in your experience?

I've heard that Active Directory objects might be key to pulling this off. If you've managed to implement something similar, could you please walk us through the technical specifics? We'd love to understand:

How do you configure Active Directory for this setup?
What does the entire authentication flow look like from a MacBook's perspective?
Are there any architectural diagrams or step-by-step guides you could share?

Your insights and knowledge would be incredibly valuable!

Re: Cisco ISE and MacBook

ahollifield — Sun, 29 Jun 2025 17:54:45 GMT

You don’t do this. This is not possible on MacOS without an MDM. An MDM must be used.