Help with Cisco ISE and Macbooks

ksalters16 · ‎04-09-2025

My organization is in the process of setting up ISE. We are using device-based authentication. I currently use Jamf to Install a configuration profile for 802.1x authentication on an Ethernet connection. We're using EAP-TLS. We are currently in the process of moving from on-prem AD to Entra ID.

There are instances where a user is prompted to choose a certificate to authenticate to the network through Ethernet. We are currently using the computername for the certificate subject. However, sometimes the certificate may labeled differently with the SN included in the name.

I am trying to figure out the best was to allow the devices to authenticate to the network without prompting the user to choose a certificate.

Arne Bier · ‎04-10-2025

I would think this is an issue for the supplicant to solve, because it sounds like there is an ambiguity that the supplicant is asking the user to resolve. If the supplicant can have more constraints and rules applied (e.g. like the Windows native supplicant) then there is less chance for ambiguity. Why is the supplicant even offering more than one cert? I am sure a MAC has many certs, but where does it source those from?

ksalters16 · ‎04-14-2025

The certificates are distributed from the Certificate Authority through the AD CS server that's integrated with Jamf. In the configuration profile that is pushed out to the Macs includes the root cert, intermediate cert, and the certificate used for authentication.

Greg Gibbs · ‎04-14-2025

It is not enough that the Mac has the certificate enrolled. The supplicant also needs to be told which certificate to present for EAP-TLS, especially if there are multiple valid certificates installed.

You might have a look to see if this issue matches your specific symptoms. If not, you should open a case with Jamf to investigate the supplicant configuration.

https://community.jamf.com/t5/jamf-pro/802-1x-eap-tls-trusted-certificates/m-p/172401