Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1450
Views
0
Helpful
1
Replies
Highlighted
reynaldolopeza
Beginner
Beginner
‎09-22-2020 01:47 PM
‎09-22-2020 01:47 PM

ISE 802.1X authentication with MacOS

Hi to everyone,

 

We have ISE 2.4 deployed as Radius server for Windows clients in Wired and Wireless 802.1X authentication working with no problems for more than 1 year. We are using EAP-FAST with EAP-Chaining and MSCHAPv2 for user and machine authentication and NAM client.

Now we have new MacOS Laptops in the company and we want to authenticate them using the same protocols and Policies that we use for our Windows clients, we confirmed that NAM is not supported for MacOS .Is it possible to use the same policies and protocols that we use for windows in our MacOS clients using the native MacOS 802.1X client.? We don't have much experience with MacOS so if you have any guide to configure the MacOS native 802.1X client I would really appreciate it.

0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Greg Gibbs
Cisco Employee
Cisco Employee
‎09-22-2020 10:40 PM
‎09-22-2020 10:40 PM

See a related conversation here:

https://community.cisco.com/t5/network-access-control/machine-user-auth-for-mac-osx/td-p/3471203

 

EAP Chaining with NAM technically uses EAP-FASTv2 which is Cisco proprietary and only available via the NAM client, which is not supported in OSX. To perform EAP Chaining on OSX, you will need to wait until Apple supports TEAP (RFC 7170) in their native supplicant for standards-based EAP Chaining and use ISE version 2.7 or later.

All current versions of OSX use Network Profiles (in XML format) for configuring 802.1x and the necessary certificates. Most large customers use JAMF Pro or some other MDM to create and deploy the necessary Profiles, enrol the certificates, etc. OSX does not have native capability to join an AD domain either, so you would typically rely on either PEAP-MSCHAPv2 user authentication or EAP-TLS with system and/or user certificates.

View solution in original post

0 Helpful
Reply
1 REPLY 1
Highlighted
Greg Gibbs
Cisco Employee
Cisco Employee
‎09-22-2020 10:40 PM
‎09-22-2020 10:40 PM

See a related conversation here:

https://community.cisco.com/t5/network-access-control/machine-user-auth-for-mac-osx/td-p/3471203

 

EAP Chaining with NAM technically uses EAP-FASTv2 which is Cisco proprietary and only available via the NAM client, which is not supported in OSX. To perform EAP Chaining on OSX, you will need to wait until Apple supports TEAP (RFC 7170) in their native supplicant for standards-based EAP Chaining and use ISE version 2.7 or later.

All current versions of OSX use Network Profiles (in XML format) for configuring 802.1x and the necessary certificates. Most large customers use JAMF Pro or some other MDM to create and deploy the necessary Profiles, enrol the certificates, etc. OSX does not have native capability to join an AD domain either, so you would typically rely on either PEAP-MSCHAPv2 user authentication or EAP-TLS with system and/or user certificates.

View solution in original post

0 Helpful
Reply
Latest Contents
Detecting and Responding to the SolarWinds Infrastructure At...
Created by aligarci on 02-23-2021 08:19 AM
0
5
0
5
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr... view more
Arista CloudVision WiFi Dictionary and NAD Profile for ISE I...
Created by hslai on 02-21-2021 01:59 PM
0
10
0
10
Attached are the dictionary and NAD profile as described in Arista CloudVision WiFi Integration with Cisco ISE .
Cisco Secure Endpoint Free Trial Guide
Created by E.L. Howard on 02-15-2021 07:36 PM
0
0
0
0
  About this Document Cisco Secure Endpoint (formerly AMP for Endpoints) is a comprehensive Endpoint Security solution designed to function both as a stand-alone tool, and as a part of the architecture of natively integrated Cisco and 3rd par... view more
Firepower 6.7 Release Demonstration - Health Monitoring
Created by Namit Agarwal on 02-08-2021 11:42 AM
0
0
0
0
  In this video, Namit reviews Health Monitoring improvements and introduces the new Unified Health Monitoring dashboard on the FMC. 
Troubleshoot Dot1x and Radius in IOS and IOS-XE
Created by Mohammed al Baqari on 02-07-2021 12:18 AM
0
5
0
5
To verify the status of RADIUS server from NAD, use the command show aaa server 4507#sh aaa servers   RADIUS: id 3, priority 1, host 10.10.14.20, auth-port 1812, acct-port 1813      State: current UP, duration 10862s, previ... view more
Content for Community-Ad