cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1568
Views
0
Helpful
2
Replies
Highlighted
Beginner

ISE, MAC, AnyC, and Machine Auth?

I think I may have a lack of understanding type of problem, please don't tell my wife.

 

I have ISE 1.4, and I am pushing out AnyC 1.4 w/ a NAM profile to Windows, two SSID setup.  Works great, the NAM profile lands and configures the second SSID and the Windows boxes machine authC prior to the user logging on, then the user logs on and authc's and away we go with full EAP chaining.  Lovely.

 

But Apple MAC laptops....  There is no NAM.  So I take it the users need to manually connect to the second SSID.  But how does machine auth ever happen?  I keep getting hit with "24423 ISE has not been able to confirm previous successful machine authentication".  The machine never auths.  MAC is AD joined, AD is setup as an external identity source, works great on the windows hosts/machine auth.

Is EAP chaining on a MAC a pipe dream and I need to start writing different polices?  If I have to write policies that only auth the user I setup a situation where any user with access can bring in any non company owned Apple device, this creates manager agro. 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Apple currently does not have a concept of machine authentication so you will continue to receive the alarms for the failed machine authentication.  As an alternative you may consider one of the following options which I have seen others use.

1. Using user authentication and whitelisting

2. Send your MAC clients through Supplicant Provisioning to issue  a user certificate. (May not prevent outside devices)

3. Issue the Apple clients machine certificates and use a CAP in ISE to look at the subject only which would verify the certificate is valid. Then in authorization, check the user groups pulled by ISE for the user (Machine) and match on the computer group.

4. Posture check company clients on a file or registry condition that only company devices would have.

 

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Apple currently does not have a concept of machine authentication so you will continue to receive the alarms for the failed machine authentication.  As an alternative you may consider one of the following options which I have seen others use.

1. Using user authentication and whitelisting

2. Send your MAC clients through Supplicant Provisioning to issue  a user certificate. (May not prevent outside devices)

3. Issue the Apple clients machine certificates and use a CAP in ISE to look at the subject only which would verify the certificate is valid. Then in authorization, check the user groups pulled by ISE for the user (Machine) and match on the computer group.

4. Posture check company clients on a file or registry condition that only company devices would have.

 

View solution in original post

Highlighted

Additionally, you could configure 802.1x w/ CWA.

Content for Community-Ad