Best way to implement 802.1x on OSX (Macintosh)

Nik. · ‎02-18-2022

I have big trouble to implement 802.1x on OSX clients. Are there any suggested "best pratice" ways to do so?
As far as I know OSX only supports user based certificates which is one of my biggest problems since we have some workstations which are shared across multiple users. On our Windows systems we use computer certificate + ad user.

Are there similar options available on OSX?

Thanks in advance!

Arne Bier · ‎02-21-2022

Hi @Nik.

Unlike Windows, OSX doesn't distinguish between machine auth and user auth. OSX connects to the network when the machine boots and that's it. If you switch users then it won't care about network auth. Do you need to perform any user-specific NAC (e.g. VLAN or ACLs) ? Perhaps there is a 3rd party supplicant that can do this for you. I would therefore issue a cert to the Mac and think of it as a machine certificate. You may need to write an ISE Authorization Rule to check the issuer of that cert and then do whatever you need to authorized (because the cert's Subject/SAN may not exist in your AD, for example). Perhaps you pushed those certs via MDM, then perform an MDM authorization.

thomas · ‎03-06-2022

I touch on endpoint supplicants and configuration in the recent ISE Webinar :

ISE Deployment Planning and Strategies @ 27:12 Endpoint Native 802.1X Supplicants

I also show how to use the Meraki System Manager MDM to provision a network profile to an iPad for EAP-TTLS for authentication with Azure AD in the webinar

Cisco ISE with Meraki @ 46:17 Meraki Systems Manager Configuration for EAP-TTLS Profile