06-18-2010 09:58 AM - edited 02-21-2020 10:24 AM
I realize that the Mac's in our OOB VGW environment can't do SSO like the Window's machines. Since I don't want to get into the business of managing a lot of userid's and passwords I've been trying to come up with alternatives.
The first one that comes to mind is a "group" ID and password in the local DB that the Mac users can use. Simple but from a security standpoint not a good idea.
The second thought is to create a second authentication server where Mac users could point to when the login screen pops up.
Are there any caveats to using the second auth server? Is there any chance it cold cause problems with SSO?
Thanks!
Bob
Solved! Go to Solution.
06-22-2010 06:56 AM
Robert,
You can use either a MAC user page, or just set LDAP on your default page. This way if any of your Windows machine fails authentication too for any reason, they will have the option to use LDAP to log in. Either should work just fine.
Same username for LDAP setup would work fine too.
HTH,
Faisal
06-18-2010 10:17 AM
Bob,
Second auth server's the way to go. Make it LDAP, so they'll just have to re-use their AD credentials.
It wouldn't cause any issues with your existing AD SSO.
HTH,
Faisal
06-21-2010 12:43 PM
Thanks Faisal!
Since our LDAP auth servers are the same as our AD or at least a subset of the AD servers we were going to use the same User Name that we use for AD-SSO. Is that OK or do we need to use something entirely different.
I have a followup question - working on the premise that I have the LDAP authentication working how do I actually direct the Mac users to the LDAP authentication? (They are using the Mac Agent.)
The way that seems to make the most sense tome is to a User Login Page that is specific to the Mac OS. (I have configured the login page and enabled it so I guess we'll see.)
06-22-2010 06:56 AM
Robert,
You can use either a MAC user page, or just set LDAP on your default page. This way if any of your Windows machine fails authentication too for any reason, they will have the option to use LDAP to log in. Either should work just fine.
Same username for LDAP setup would work fine too.
HTH,
Faisal
06-22-2010 07:06 AM
Once again, Thank You.
I have created a MAC_ALL login page and am testing.
06-22-2010 09:11 AM
Faisal,
I attempted to point to a User Login page for Macintosh and the login failed. They are using the Mac Agent for Ver 4.7.2 but when they connect they don't get the Mac logion page they get the default OS "All" page.
I have attached the screen scrapes of the MAC login page.
Is there a way to specifically point the Mac devices to the page? I was working on the impression that NAC should recognize the OS and point them to it. (I must be missing a step!)
06-22-2010 09:49 AM
Rob,
What's the order of the user pages? Can you post a screenshot of that? If ALL is above MAC_ALL, then the MAC will hit that first and not look further.
HTH,
Faisal
06-23-2010 11:46 AM
Faisal,
I did have the MAC_ALL at the top. I have since altered ALL to also behave differently, that is I added the LDAP server for authentication and made the LDAP server the default provider.
The only screen that pops up is the generic default screen (see attached) that is seen when a user's Window PC is redirected to the CAS after opening a HTTP session.
I must be missing something really basic. What control's the login screen that is seen by a user when they are using an installed agent (corporate device) or a Web Agents (Contractor's device)? The user's page Login Page implies it is OS as in the case of MAC_ALL.
06-23-2010 12:04 PM
Rob,
Please post the content tab from your mac_all page
Faisal
06-23-2010 12:11 PM
06-24-2010 10:20 AM
OK - Now I am embarrassed.
When everything looks like it should work - Reboot! (The CAS.)
I now get drop down on the MAC OSx 4.7.2.507 CCA agent as well as Webagent.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide