Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18353
Views
23
Helpful
5
Replies

Machine + User Auth for MAC OSX

Go to solution
Ale79
Cisco Employee
Cisco Employee

‎03-20-2017 09:01 AM

Just wanted to check if there is a way to authenticate Mac IOS X - machine authentication and  User authentication against our ISE? If it is not supported, is there any alternative way?

3 people had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎03-28-2017 01:42 PM

In general Mac OS will use System Profile or User Profile, but not both.  Even if mixed System with Login, it would still be treated as separate authentications, so may be able to support MAR with its known limitations.  Unless Apple adopts TEAP (RFC 7170), then you will not have a truly combined Machine+User auth based on 802.1X. 

The CiscoLive session does discuss other ways to marry machine "identity" with user identity.  Options include:

  • Machine Access Restrictions (MAR)
  • CWA Chaining
  • EasyConnect (EZC) Chaining (requires adding Mac clients to AD)
  • User Auth + Posture (check for key files, services, processes, etc that are telltale signs of corp device)
  • User Auth + Profiler (for example, customer DHCP Class ID)
  • User Auth + Device Registration / Customer Attribute
  • User Auth + MDM/DM integration (registration in external manager indicates managed endpoint)
  • User Auth + MAC Lookup to external ID store
  • Implicit methods such as Multi-Factor Auth.  For example, user required to enter credentials or provide biometric data to unlock device credentials/cert.

/Craig

View solution in original post

5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-20-2017 12:17 PM

Although title and abstract do not match, this topic is covered in this session from Melbourne:

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=94624&backBtn=true

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎03-28-2017 01:42 PM

In general Mac OS will use System Profile or User Profile, but not both.  Even if mixed System with Login, it would still be treated as separate authentications, so may be able to support MAR with its known limitations.  Unless Apple adopts TEAP (RFC 7170), then you will not have a truly combined Machine+User auth based on 802.1X. 

The CiscoLive session does discuss other ways to marry machine "identity" with user identity.  Options include:

  • Machine Access Restrictions (MAR)
  • CWA Chaining
  • EasyConnect (EZC) Chaining (requires adding Mac clients to AD)
  • User Auth + Posture (check for key files, services, processes, etc that are telltale signs of corp device)
  • User Auth + Profiler (for example, customer DHCP Class ID)
  • User Auth + Device Registration / Customer Attribute
  • User Auth + MDM/DM integration (registration in external manager indicates managed endpoint)
  • User Auth + MAC Lookup to external ID store
  • Implicit methods such as Multi-Factor Auth.  For example, user required to enter credentials or provide biometric data to unlock device credentials/cert.

/Craig

Go to solution
jaime.pedraza
Level 1
Level 1
In response to Craig Hyps

‎02-06-2019 08:24 AM

Hi Craig,

I know this is a rather old post but, do you have the number of the session to search it on cisco live library? 

Thanks!

James

0 Helpful

Go to solution
TitanAE
Level 1
Level 1
In response to Jason Kunst

‎02-25-2020 11:18 AM

Could you please re-upload the video in question?  I get a 404 error when I hit the page.

0 Helpful

Go to solution
Oliver Laue
Level 4
Level 4

‎03-21-2017 12:21 AM

Apple describes this in one of their own Guides.

macOS knows 3 Authentication modes.

System Mode = Machine Authentication

Login Window Mode = User Authentication taken from the login screen

User Mode = user Authentication like iOS

as described in the document you can mix System Mode with Login Window Mode. But i've never configured it since the Login Window Mode needs an Authentication of a User against LDAP or Active Directory.

http://training.apple.com/pdf/WP_8021X_Authentication.pdf

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents