06-19-2015 08:23 AM - edited 03-10-2019 10:49 PM
I think I may have a lack of understanding type of problem, please don't tell my wife.
I have ISE 1.4, and I am pushing out AnyC 1.4 w/ a NAM profile to Windows, two SSID setup. Works great, the NAM profile lands and configures the second SSID and the Windows boxes machine authC prior to the user logging on, then the user logs on and authc's and away we go with full EAP chaining. Lovely.
But Apple MAC laptops.... There is no NAM. So I take it the users need to manually connect to the second SSID. But how does machine auth ever happen? I keep getting hit with "24423 ISE has not been able to confirm previous successful machine authentication". The machine never auths. MAC is AD joined, AD is setup as an external identity source, works great on the windows hosts/machine auth.
Is EAP chaining on a MAC a pipe dream and I need to start writing different polices? If I have to write policies that only auth the user I setup a situation where any user with access can bring in any non company owned Apple device, this creates manager agro.
Solved! Go to Solution.
06-19-2015 01:27 PM
Apple currently does not have a concept of machine authentication so you will continue to receive the alarms for the failed machine authentication. As an alternative you may consider one of the following options which I have seen others use.
1. Using user authentication and whitelisting
2. Send your MAC clients through Supplicant Provisioning to issue a user certificate. (May not prevent outside devices)
3. Issue the Apple clients machine certificates and use a CAP in ISE to look at the subject only which would verify the certificate is valid. Then in authorization, check the user groups pulled by ISE for the user (Machine) and match on the computer group.
4. Posture check company clients on a file or registry condition that only company devices would have.
06-19-2015 01:27 PM
Apple currently does not have a concept of machine authentication so you will continue to receive the alarms for the failed machine authentication. As an alternative you may consider one of the following options which I have seen others use.
1. Using user authentication and whitelisting
2. Send your MAC clients through Supplicant Provisioning to issue a user certificate. (May not prevent outside devices)
3. Issue the Apple clients machine certificates and use a CAP in ISE to look at the subject only which would verify the certificate is valid. Then in authorization, check the user groups pulled by ISE for the user (Machine) and match on the computer group.
4. Posture check company clients on a file or registry condition that only company devices would have.
07-22-2015 01:59 PM
Additionally, you could configure 802.1x w/ CWA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide