The old when will Apple support EAP Chaining dilemma. Frustrated us for YEARS too. Just sharing what we do in case it helps anyone.
Our environment - Windows and Macbooks, Cisco Trustsec infrastructure, mix of traditional network and SD-Access. ISE playing pivotal role, running v3 now but this also applied to later 2.x code for us.
Our Windows fleet has Anyconnect + NAM, configured for EAP Chaining, works splendidly for identifying a trusted computer on boot up, and then when a user logs on, reauth-ing to get a user-based AuthZ profile from ISE to elevate to user-centric permissions. We aim to do this for Macbooks and their users too.
Macbooks- Ours are not joined to the domain, but do have a machine certificate installed via our MDM.
ISE Policy Logic for Wired authentications
We have all our EAP Chaining policies at the top that Windows + NAM computer hit. Then, ..
Macbook AuthZ policy #1 - can't match EAP-Chaining policies, so next in our ISE policy sets we look for Dot1X authentication (machine certs) that have been issued by our PKI. Our Macbooks configured via MDM to present our machine-certs on LAN. If matching this ISE policy, we redirect to a portal on ISE (same technique for guest wireless portal).
Macbook AuthZ policy #2 - User logs into CWA portal. You can then match the user ID entered into the central web auth portal to an AD group. The policy looks like CWA-CWA_ExternalGroups EQUALS (YourOrgActiveDirectory:yourorg.net/Domain Users)
And obviously, in the policy set, #2 has to be above #1 for it to work in the correct sequence.
We build on that logic by having policies per department/division, and each get a AuthZ policy and different SGT. Isn't limited to Domain Users.
Because the machine presents our cert, can can assume its one of ours. And because we can stitch together the user ID (gleaned from the redirect to the portal with the previous match of policy that got them there), we kind of get the same functionality as NAM+EapChaining - but much less elegantly. It's not transparent like Windows + NAM, and any time the Macbook Ethernet goes down, another CWA logon has to be performed. Not great for the user.
Notes/Feedback:
- It's a poor user experience for the Macbook users. Not many on them are a fan of it. They've put up with it so far, but its unpopular.
- CWA Dictionary in ISE has limited options so don't expect a full set of attributes you can match.
- In Macbook AuthZ policy #2 above, "YourOrgActiveDirectory" is the Active Directory you've configured in ISE in the External Identity Sources. And "yourorg.net" is your active directory name. And "/Domain Users" is a group you've got in ISE from your AD that you can reference in policy.
- Our Macbook users may hate us. Secops are happy with the solution. This is a technical solution, not a user experience solution.
- Works for us with docking stations or Ethernet dongles
- If Macbooks are joined to the Active Directory domain, there's apparently a way to use the passive identity scraping as an alternative method to achieve the same.
- If you can get access to an Apple Account Manager, please pile on the pressure and request them to support EAP Chaining.
HTH
