Re: ISE and MacOS + Linux in Windows AD/CA environment

Tibor M · ‎10-08-2024

Hi,

trying to find solution how to solve 802.1X with ISE 3.4 using certificates within MacOS and Linux machines in Windows AD environment with Windows Server 2022 CA. We currently deploying ISE for Windows machines, where everything is so easy with autoenroll and autorenew for machine and user. We using TEAP to have either device and user authenticated as we plan to do per-user-group VLAN mapping, as i.e. software engineers will need more access than i.e. support engineers to some services.

What solution did you choose for generating/enrolling/auto-enrolling device/user certificates for MacOS devices? We have Office 365 with Intune, hybrid with on-prem AD and on-prem Windows CA, so Intune could be used, just do not know how. Macs are registered within Intune through Apple Business Manager.

How did you solved Linux machines?

We could generate certificates manually for those devices (and probably we will need for Linux), but I would like to have automated solution or solution where I can generate certificates for devices, at least for MacOS, which are not possible to export with private key (I know this could be problem in Linux, but this is minority here) to avoid exporting certificates and using on not-approved devices by company.

Thanks

Arne Bier · ‎10-08-2024

I have not done this myself, but I have been interested in reading about using the TPM (Trusted Platform Module) as a source of the private key - there are libraries (for TPM2-pkcs11 under Linux) that seem to make this possible. Now you have proof of possession, since the TPM cannot be removed from the device itself. Might require some inhouse development though.

JPavonM · ‎10-08-2024

We are using JamF MDM for MacOS'es but there is no way to integrate them into AD. We are using EAP-TLS with user certificate for authentication, and authorization is based on User to AD Group mapping.

For Linux we are not using them in our network but there are some guides if you search in Google (https://www.redhat.com/sysadmin/linux-active-directory)

Tibor M · ‎10-09-2024

@JPavonM and how you generating user certificates? manually for each user i.e. on employment start day and distributing using JAMF? (everything what JAMF is able to do, Intune should be too, as it using same Apple API) What about renewals?

JPavonM · ‎10-09-2024

The user certificates are geenrated in the on-premises AD (or Entra ID) and distributed from JamF.

https://learn.jamf.com/en-US/bundle/technical-paper-8021x-current/page/Overview_of_8021x.html
https://travellingtechguy.blog/jamf-adcs-connector/
https://www.youtube.com/watch?v=oRkpkN1Z3aI

And this guide to integrate JamF with InTune:

https://learn.jamf.com/en-US/bundle/technical-paper-scep-proxy-current/page/Enabling_as_SCEP_Proxy_for_Configuration_Profiles.html
https://macnotes.wordpress.com/2020/11/11/configuring-azure-web-application-proxy-for-jamf-pro-scep-certificates/

thomas · ‎10-09-2024

See the ISE BERG (Big Encyclopedic Resources Guide) @ https://cs.co/ise-berg :

https://cs.co/ise-berg#apple

https://cs.co/ise-berg#linux

Tibor M · ‎10-10-2024

thanks all. I little bit hoped that somebody comes with real example how to configure Intune to use on-prem CA and push those certs to apple. now it looks like nobody using macs in enterprise (and if I can, I throw them from a window on 7th floor immediately, its just complicating everything for us).

Greg Gibbs · ‎10-10-2024

Intune is fully capable of deploying SCEP profiles for MacOS devices, so this could be done using your on-prem CA as long as it support SCEP/NDES. Cisco ISE has no interaction in this process.

If you're looking for information on how to setup the SCEP profiles, see the following links. If you need more support around this, you would need to seek that from Microsoft.

https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep

https://www.youtube.com/watch?v=EUtMOoqEyHo