cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1450
Views
0
Helpful
1
Replies
Highlighted
Beginner

ISE 802.1X authentication with MacOS

Hi to everyone,

 

We have ISE 2.4 deployed as Radius server for Windows clients in Wired and Wireless 802.1X authentication working with no problems for more than 1 year. We are using EAP-FAST with EAP-Chaining and MSCHAPv2 for user and machine authentication and NAM client.

Now we have new MacOS Laptops in the company and we want to authenticate them using the same protocols and Policies that we use for our Windows clients, we confirmed that NAM is not supported for MacOS .Is it possible to use the same policies and protocols that we use for windows in our MacOS clients using the native MacOS 802.1X client.? We don't have much experience with MacOS so if you have any guide to configure the MacOS native 802.1X client I would really appreciate it.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

See a related conversation here:

https://community.cisco.com/t5/network-access-control/machine-user-auth-for-mac-osx/td-p/3471203

 

EAP Chaining with NAM technically uses EAP-FASTv2 which is Cisco proprietary and only available via the NAM client, which is not supported in OSX. To perform EAP Chaining on OSX, you will need to wait until Apple supports TEAP (RFC 7170) in their native supplicant for standards-based EAP Chaining and use ISE version 2.7 or later.

All current versions of OSX use Network Profiles (in XML format) for configuring 802.1x and the necessary certificates. Most large customers use JAMF Pro or some other MDM to create and deploy the necessary Profiles, enrol the certificates, etc. OSX does not have native capability to join an AD domain either, so you would typically rely on either PEAP-MSCHAPv2 user authentication or EAP-TLS with system and/or user certificates.

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

See a related conversation here:

https://community.cisco.com/t5/network-access-control/machine-user-auth-for-mac-osx/td-p/3471203

 

EAP Chaining with NAM technically uses EAP-FASTv2 which is Cisco proprietary and only available via the NAM client, which is not supported in OSX. To perform EAP Chaining on OSX, you will need to wait until Apple supports TEAP (RFC 7170) in their native supplicant for standards-based EAP Chaining and use ISE version 2.7 or later.

All current versions of OSX use Network Profiles (in XML format) for configuring 802.1x and the necessary certificates. Most large customers use JAMF Pro or some other MDM to create and deploy the necessary Profiles, enrol the certificates, etc. OSX does not have native capability to join an AD domain either, so you would typically rely on either PEAP-MSCHAPv2 user authentication or EAP-TLS with system and/or user certificates.

View solution in original post

Content for Community-Ad