Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1086
Views
0
Helpful
3
Replies

how to automate process when deploying dot1x between ISE and MAC OS X?

Go to solution
musultan
Cisco Employee
Cisco Employee

‎11-20-2018 02:10 AM

My customer is deploying ISE w/dot1x and MAC machines like High Sierra, Mojave etc., (10.13 and later)
 
Here is the current situation,

1) We have 802.1x authentication working fine on the MAC. 

2) We have a working profile in JAMF to push the initial configuration for wired 802.1x to our MAC OS X.
3) 802.1x is working in ISE and the MAC is being authenticated properly with its local machine certificate.

Here is the problem,


Once we push the 802.1x configuration down to the MAC, it is missing one important portion of the config, it is not pointing the authentication to the machine certificate. 

 

In order to complete the authentication, the user must have to do the following;

1- Manually open System Preferences.
2- Go to Network.
3- Select the correct wired network.
4- Click connect.
5- Choose the correct machine certificate.
6- Enter the administer credentials and save the configuration. 

Requiring the user to complete these six steps manually, is sub-optimal and will lead to the system not being configured properly.
 
Question:
We are simply trying to complete the configuration process without requiring manual user intervention.  All we need is to point the final configuration to use the proper local machine certificate automatically.


Please advise how to achieve it?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-20-2018 06:28 AM

Hi,

 

This sounds more like a JAMF / Apple issue than an ISE issue.  I would suggest native supplicant provisioning but it sounds to me like your customer is trying to configure supplicants at scale rather than using a BYOD approach.  It might be better to reach out to JAMF an / or Apple.

 

Regards,

-Tim

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-20-2018 06:28 AM

Hi,

 

This sounds more like a JAMF / Apple issue than an ISE issue.  I would suggest native supplicant provisioning but it sounds to me like your customer is trying to configure supplicants at scale rather than using a BYOD approach.  It might be better to reach out to JAMF an / or Apple.

 

Regards,

-Tim

0 Helpful

Go to solution
musultan
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎11-20-2018 06:47 AM

yes, it is NOT an ISE issue. I completely understand that.


Customer is looking for a guidance from us and any steps which can help them. All they need is a process for pushing a complete profile/setup to MAC devices enabling 802.1x and pointing the config to the local, existing, machine certificate.


Any help will be appreciated.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to musultan

‎11-20-2018 09:24 AM

As Tim said talk to JAMF, but I seem to remember working with this in the past and you need to make sure the JAMF profile is a system profile or something like that and the certificate is going into the system key store not the user key store.  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents