Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2056
Views
0
Helpful
2
Replies

ISE, MAC, AnyC, and Machine Auth?

Go to solution
Eric Hansen
Level 1
Level 1

‎06-19-2015 08:23 AM - edited ‎03-10-2019 10:49 PM

I think I may have a lack of understanding type of problem, please don't tell my wife.

 

I have ISE 1.4, and I am pushing out AnyC 1.4 w/ a NAM profile to Windows, two SSID setup.  Works great, the NAM profile lands and configures the second SSID and the Windows boxes machine authC prior to the user logging on, then the user logs on and authc's and away we go with full EAP chaining.  Lovely.

 

But Apple MAC laptops....  There is no NAM.  So I take it the users need to manually connect to the second SSID.  But how does machine auth ever happen?  I keep getting hit with "24423 ISE has not been able to confirm previous successful machine authentication".  The machine never auths.  MAC is AD joined, AD is setup as an external identity source, works great on the windows hosts/machine auth.

Is EAP chaining on a MAC a pipe dream and I need to start writing different polices?  If I have to write policies that only auth the user I setup a situation where any user with access can bring in any non company owned Apple device, this creates manager agro. 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Thomas Wall
Cisco Employee
Cisco Employee

‎06-19-2015 01:27 PM

Apple currently does not have a concept of machine authentication so you will continue to receive the alarms for the failed machine authentication.  As an alternative you may consider one of the following options which I have seen others use.

1. Using user authentication and whitelisting

2. Send your MAC clients through Supplicant Provisioning to issue  a user certificate. (May not prevent outside devices)

3. Issue the Apple clients machine certificates and use a CAP in ISE to look at the subject only which would verify the certificate is valid. Then in authorization, check the user groups pulled by ISE for the user (Machine) and match on the computer group.

4. Posture check company clients on a file or registry condition that only company devices would have.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Thomas Wall
Cisco Employee
Cisco Employee

‎06-19-2015 01:27 PM

Apple currently does not have a concept of machine authentication so you will continue to receive the alarms for the failed machine authentication.  As an alternative you may consider one of the following options which I have seen others use.

1. Using user authentication and whitelisting

2. Send your MAC clients through Supplicant Provisioning to issue  a user certificate. (May not prevent outside devices)

3. Issue the Apple clients machine certificates and use a CAP in ISE to look at the subject only which would verify the certificate is valid. Then in authorization, check the user groups pulled by ISE for the user (Machine) and match on the computer group.

4. Posture check company clients on a file or registry condition that only company devices would have.

 

0 Helpful

Go to solution
Chris Bell
Level 1
Level 1
In response to Thomas Wall

‎07-22-2015 01:59 PM

Additionally, you could configure 802.1x w/ CWA.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents