ISE and MacOS + Linux in Windows AD/CA environment

Tibor M · ‎10-08-2024

Hi,

trying to find solution how to solve 802.1X with ISE 3.4 using certificates within MacOS and Linux machines in Windows AD environment with Windows Server 2022 CA. We currently deploying ISE for Windows machines, where everything is so easy with autoenroll and autorenew for machine and user. We using TEAP to have either device and user authenticated as we plan to do per-user-group VLAN mapping, as i.e. software engineers will need more access than i.e. support engineers to some services.

What solution did you choose for generating/enrolling/auto-enrolling device/user certificates for MacOS devices? We have Office 365 with Intune, hybrid with on-prem AD and on-prem Windows CA, so Intune could be used, just do not know how. Macs are registered within Intune through Apple Business Manager.

How did you solved Linux machines?

We could generate certificates manually for those devices (and probably we will need for Linux), but I would like to have automated solution or solution where I can generate certificates for devices, at least for MacOS, which are not possible to export with private key (I know this could be problem in Linux, but this is minority here) to avoid exporting certificates and using on not-approved devices by company.

Thanks

Arne Bier · ‎10-08-2024

I have not done this myself, but I have been interested in reading about using the TPM (Trusted Platform Module) as a source of the private key - there are libraries (for TPM2-pkcs11 under Linux) that seem to make this possible. Now you have proof of possession, since the TPM cannot be removed from the device itself. Might require some inhouse development though.