Solved: Re: ISE Policy specifically targeting Macintosh-Workstation endpoints

woodsr · ‎09-08-2022

Hi, I was wondering if there was anyway to create a policy that specifically target Macintosh-Workstation endpoints.

My end goal would be that every mac would be challenged with an 802.1x Peap request at connection, rather than just a TLS certificate based auth. Many reason why.

Any suggestions would be appreciated.

thomas · ‎10-02-2022

We cannot know what the endpoint is from only an 802.1X EAP-connection unless you encode some endpoint platform details in the username (PEAP) or digital certificate (EAP-TLS) attribute. (RADIUS:Username starts-with "apple-mac", etc.)

The network device does not know what the endpoint is at link-up/association. It merely challenges it with 802.1X and then proxies all response from the endpoint to ISE. ISE and the endpoint will negotiate an EAP authentication protocol based on configured ISE policies. As long as PEAP is an Allowed Protocol in an ISE policy and the endpoint is configured to authenticate with PEAP... it will work.

View solution in original post

ahollifield · ‎09-09-2022

Profiling? What is your actual use-case though, since we are talking about authc here (PEAP and EAP-TLS) not authz.

Arne Bier · ‎09-11-2022

ISE has Profiler Policies that can match on Apple operating systems. But. With new endpoints that ISE has never seen before, and EAP authentication, ISE won't have a chance to profile the endpoint because DHCP won't have occurred yet. So it's a chicken and egg situation.

Perhaps there are tricks to send those endpoints to a profiling VLAN after they have successfully authenticated. Let ISE profile the endpoint and then re-auth it. 2nd time around it will match the MACOS AuthZ and land in a different VLAN or get another ACL.

You will need Plus (or Advantage) licenses to perform this type of Authorization.

Greg Gibbs · ‎09-12-2022

Keep in mind that Profiling depends on the information that ISE learns from the network. If you have Mac endpoints connecting to the Wired network using dongles, that will break the ability to profile the Mac endpoints as the dongle will not use an Apple MAC address.

To the same point, if the Macbooks are using randomized MAC addresses for the Wifi connections (or if the user has a way to change the MAC address), it will also break the default profiling policies.

Profiling based on nothing but the MAC OUI is trivially easy to break and should only be used when no other options are available.

Arne Bier · ‎09-18-2022

The point that Greg makes is very valid. I have seen some other vendors tackle this problem - e.g. Dell. If you connect a Dell laptop to a Dell dock, then the Ethernet MAC address of the Dock is not used - instead, a MAC address stored in the BIOS of the laptop is used. This is called Passthrough mode. It's great because in large enterprises users might move around from one hot-desk to another hot-desk. With their solution, the MAC address of the endpoint always remains the same.

I don't know if other vendors do the same - e.g. Lenovo laptops + Lenovo Dock.

Greg Gibbs · ‎09-18-2022

From what I've seen from testing docks from a few different vendors in the past, this pass-through mode is only valid for Windows PCs. I believe it's either the NIC or the NIC driver that keeps a small range of MAC addresses it can use for these pass-through connections that are essentially 'burned-in' and generally unique to that PC. When the network connection is established and the dock supports this pass-through feature, the PC will present that MAC address.

Macbooks, however, only have a burned-in MAC address for the Wifi interface and the Thunderbolt Bridge. There is no such burned-in MAC address for Wired dongle/dock connections so the MAC address of the dongle or dock itself is presented for those connections on a Macbook.

Charlie Moreton · ‎09-19-2022

Perhaps PEAP > EAP-TLS for authentication? Without details of the actual use case, you will be hard-pressed to get a definitive answer.

thomas · ‎10-02-2022

We cannot know what the endpoint is from only an 802.1X EAP-connection unless you encode some endpoint platform details in the username (PEAP) or digital certificate (EAP-TLS) attribute. (RADIUS:Username starts-with "apple-mac", etc.)

The network device does not know what the endpoint is at link-up/association. It merely challenges it with 802.1X and then proxies all response from the endpoint to ISE. ISE and the endpoint will negotiate an EAP authentication protocol based on configured ISE policies. As long as PEAP is an Allowed Protocol in an ISE policy and the endpoint is configured to authenticate with PEAP... it will work.