cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1769
Views
5
Helpful
6
Replies

Identify corporate Macbook for VPN access

Qingguo Zhang
Cisco Employee
Cisco Employee

How can we use ISE to ensure that only a company provided MAC Laptop would be allowed to join the network via VPN, and reject non-corporate MACbook?


Customer concerns is  the admin rights can allow the certificate to be extracted and used on non-corporate devices.

This is whole end-to-end cisco solution we need to do POC (ISE + anyconncect + ASA).

I would like to propose two solution for customer reference, please let me know if it is feasible or there is any detailed pros/cons.

1)       Double cert auth ( cert + smartcard/token) ,  this will need integration with smartcard/token vendor.

2)       Cert auth +  Mac address/BIOS serial  posture check  ,  based on hostscan it will input Mac address/serial number to ASA/ISE in advance.

Any comments is appreciated.

1 Accepted Solution

Accepted Solutions

Timothy Abbott
Cisco Employee
Cisco Employee

Like you send, certs can be exported if user is admin.  I don't think a smart card would help in this scenario either because CAC / smartcard is usually integrated via USB which could also be ported to a non-company owned asset.  The best solution, as Paul brought up, would be the use of an MDM solution.

Regards,

-Tim

View solution in original post

6 Replies 6

paul
Level 10
Level 10

Are they using an MDM like JAMF to manage the Macs?  If so, then you could explore an integration between ISE and JAMF to verify the Mac is registered.  I am not a JAMF expert but I know this seems to be the defacto MDM many customers use for Mac management.  I see ISE referenced in their 9.99 release notes.

http://docs.jamf.com/9.99.0/casper-suite/release-notes/What's_New_in_This_Release.html

Hi Paul,

Thanks for the information, I'm currently in a situation as what Qingguo is encountering and the customer is asking if JAMF is the recommended solution with regards to MDM, would we be able to elaborate to them just what is the policy JAMF is using to identify corporate macbooks without cert and how does Cisco ISE utilizes that to verify if the Mac is registered as a corporate device.

Also, they would like to know if there's any way ISE is able to prevent users from upgrading to the latest MAC OS released by Apple and if not, what is the likelyhood that a MAC OS upgrade might break the ISE agent's compatibility support matrix.

I am by no means an MAC OS person so I may not be able to answer all the questions here but here is what I know from my experience. JAMF seems to be a very popular management solution for Macs. In their 9.99 release notes they added support for ISE MDM API v2:

http://docs.jamf.com/9.99.0/casper-suite/release-notes/What's_New_in_This_Release.html

I have never done a JAMF to Cisco ISE MDM integration so I am not sure what details you can get from that integration. I am not sure if OS version is a piece of information you get or not. You may be able to get OS version from the posture module, but I haven’t tried it.

The key reason JAMF has been used in my installs is to configure the Macs to present PEAP AD computer credentials as a means to authenticate the Macs. In most cases I do PEAP computer authentication as the means to ensure the attaching device is a managed asset. This is a trivial task on Windows devices. You can configure the Macs to do the exact same thing, but it is not a trivial task. There are methods to do it manually or using Apples OSX server MDM (can’t remember the name), but JAMF makes the process easier.

At the end of the day if you get PEAP computer auth working on the Macs you are treating them identically to the Windows domain joined devices.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

There is no way for ise or posture to block OS upgrades from taking place

Thanks for your responses Paul and Jason!

Timothy Abbott
Cisco Employee
Cisco Employee

Like you send, certs can be exported if user is admin.  I don't think a smart card would help in this scenario either because CAC / smartcard is usually integrated via USB which could also be ported to a non-company owned asset.  The best solution, as Paul brought up, would be the use of an MDM solution.

Regards,

-Tim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: