topic apple macosx machine authentication with ISE using EAP-TLS in Network Access Control

apple macosx machine authentication with ISE using EAP-TLS

Gustavo Novais — Mon, 11 Mar 2019 05:03:15 GMT

Hello,

On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.

With windows machines all is working well. We are using computer authentication only.

Now the problem is that we wish to do the same with MAC OSX machines.

We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.

in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.

When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.

The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.

Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?

Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.

Thanks

Gustavo Novais

Did anyone ever find the

usac — Fri, 16 Dec 2016 17:28:09 GMT

Did anyone ever find the solution to this problem. Please email me asalazar@usac.org

Just for future reference, we

Gustavo Novais — Fri, 16 Dec 2016 18:01:51 GMT

Just for future reference, we've managed to solve this by adding on the JAMF Casper interface the host/$COMPUTERNAME variable.

I do not know if another provisioning solution would allow for this manipulation...

Hope this helps

You can also do this directly

nspasov — Sat, 17 Dec 2016 03:09:55 GMT

You can also do this directly on ISE now (as long as you are running the latest version). There is a feature called "Identity Rewrite" that is located under: Administration > External Identity Sources > AD > Advanced Settings > Scroll all of the way to the bottom.

I hope this helps!

Thank you for rating helpful posts!

Good job on resolving your

nspasov — Sat, 17 Dec 2016 03:11:27 GMT

Good job on resolving your own issue! Also, thank you for taking the time to come back and update the thread! (+5 from me).

You can also do this directly on ISE now (as long as you are running the latest version). There is a feature called "Identity Rewrite" that is located under: Administration > External Identity Sources > AD > Advanced Settings > Scroll all of the way to the bottom.

Now, if your issue is resolved, you should mark the thread as "answered" 😉

Thank you for rating helpful posts!

Re: Just for future reference, we

Hafthor Hilmarsson O'Connor — Tue, 05 Apr 2022 21:03:30 GMT

if you where using this payload as a custom payload in intune ( since AD certs are not yet supported only SCEP )

I create the payload in profilemanager and then upload it to intune as custom,

There is field would be host/{{devicename}}