Re: 802.1x - Apple Workstation

ryanbess · ‎07-31-2024

Trying to identify the best way to authentication and authorize Apple endpoints on a Wired interface to Cisco ISE.

Environment:

1. Macs are AD bound

2. Macs are managed via Jamf

3. There is NO local computer certificate

4. Users log into macs with a PIV card

How would you go about authenticating and authorizing them?

Arne Bier · ‎07-31-2024

As far as I know, MACOS doesn't have any GUI support for creating 802.1X supplicant profiles, other than EAP-PEAP (username/password). This means, if you want to, e.g., use client certificate authentication, then you must do this via JAMF and have the profile pushed to each managed MACOS device. Not sure what kind of a PIV card you're using - but in either case, if there is an 802.1X supplicant EAP method that can read the username from such a thing, then you might be able to use it.

ryanbess · ‎07-31-2024

do you know of any way to use EAP-PEAP to authenticate the mac computer account. This is a function that can be done for windows via mschapv2.

MHM Cisco World · ‎07-31-2024

I send ypu PM check it

MHM

Jonatan Jonasson · ‎07-31-2024

The answer might depend on how the rest of the environment (windows endpoints?) are being authenticated and authorized.
I favor trying to use a similar authentication flow for both win & mac based user workstations, simplifies troubleshooting at later stages.
If you're using machine/computer certificates to authenticate the windows machines, you could create a new certificate template specifically for the macs and authenticate & authorized based on that.
(I know of few environments that do this.)

And/or you could look into issuing user certs & use those.

And as Arne points out, you maintain this configuration via Jamf.

ryanbess · ‎07-31-2024

yes we are trying to follow a similar approach for our windows endpoints but the not having certs on box (i.e. computer certs) is really hindering us. So much as i can find there is very limited things on the internet that define how to effectively do the things on mac. Windows, yeah there's tons of youtube, blogs, etc that do this....thus the post here to get folks thoughts given the environment described in the origional post.

Arne Bier · ‎07-31-2024

I have limited experience with MACOS - many years ago I used the Apple Configurator app on the MAC to create an 802.1X WLAN profile for an iPhone. It was a tedious affair and proved to me that this job is best done with an MDM. Have a look on the JAMF console to see what options you have.

EAP-PEAP (MSCHAPv2) does not require any MDM - if you associate your MAC to an SSID with Enterprise 802.1X configured, and talking to a RADIUS server that offers EAP-PEAP, then the MAC will open a username/password dialogue. If the RADIUS server does not offer the EAP-PEAP method, then your out of luck. Be careful with username/password - if the password changes frequently, then it causes havoc with your network authenticated users (e.g. if the password is changed on the MAC, but they forget to change the password on the MACOS supplicant config - in the Windows world this is common when users have their AD creds on mobile devices - they tend to lock out their AD accounts)

thomas · ‎08-01-2024

https://cs.co/ise-berg#apple lists the official configuration docs from Apple for provisioning their devices.