Re: Apple MACs in the SDA world

ianjgrant · ‎12-12-2022

Hi. Looking for some suggestions as to how to deal with Apple MAC authentication in the SDA world.

I have an enterprise VN that handles Windows, Chromebooks, and Apple MACs, using EAP-TLS for authentication, and Authorization policies assigning SGTs based on device or user AD groups.

Windows & Chromebooks work great - when first connected to the wired or wireless network they authenticate with Machine certificates and get machine related SGTs assigned. Once the user logs in, it re-authenticates using the User cert, and a User related SGT is assigned.

How can I get Apple MACs to behave in a similar way? Currently, I can get them to auth with Machine certs, but then I can't assign any User related SGTs so User based policies are useless. Or, I can auth with User cert, but then the machine can't connect to the network until after someone is already logged in. Device based SGTs don't work with User identity policies

I can't be the only one trying to do this sort of thing...

Any suggestions appreciated.

ahollifield · ‎12-12-2022

There is no concept of a "machine" account in MacOS. It is either/or exactly as you describe. Apple also does not allow third-party developers access to the network stack so there is no option for a third-party supplicant either. Macs simply aren't designed for use in an enterprise environment.

Typically you would couple a user certificate authentication with an MDM attribute to establish both user + machine trust.

ianjgrant · ‎12-12-2022

Can you expand on this part: 'Typically you would couple a user certificate authentication with an MDM attribute to establish both user + machine trust'

As EAP-TLS is the authentication protocol of choice, how do you trust the machine when the User is not logged in?

Thanks