Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7984
Views
45
Helpful
10
Replies

MacOS PC 802.1x Native Suplicant

Go to solution
josimaru85
Spotlight
Spotlight

‎01-30-2020 02:29 PM - edited ‎01-30-2020 02:46 PM

Hi everybody!

 

First of all I am not Apple Specialist, and I dont have ApplePC to test *******

 

I already know that we can face with Apple product during a Cisco ISE 2.4 deployoment and Apple has multiple operating systems:

  • macOS (workstations/laptops)
  • iOS (iPhone)
  • iPadOS (iPads).

And for Mobile devices (iOS and iPadOS) may be provisioned with ISE and BYOD. See Cisco ISE BYOD Prescriptive Deployment Guide for details on how to do this.

 

And For macOS, you must use the Apple Configurator Tool - an enterprise system administrator tool - to provision profiles containing certifications and configuration settings to your Apple workstations. So my question is:

 

What is more common under macOS deployment using Apple Configurator to create Cisco ISE Authentication and Authorization rules?

 

(01) PEAP+MAB+Domain Computer

(02) EAP-TLS+CA Credentials

(03) EasyConnect

 

I alredy tried to check some google links but nothing good.

 

**** I put in attach a template model that I did by myself and I dont know if good or not

 

 

I am looking for your reply

Josinfo

 

 

Preview file
631 KB
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-30-2020 03:39 PM

While the Apple Configurator tool might be useful for lab environments, my experience with several large enterprise customers is that they all use a more full-featured MDM like JAMF Pro to create and deploy profiles with network and certificate payloads to their managed Apple devices.

Both PEAP-MSCHAPv2 and EAP-TLS are options, and the decision on which is used depends mainly on the customer's business and security requirements. The majority I have worked with use EAP-TLS.

From what I've seen, Apple devices do not really have a separate Computer and User state, so PEAP or EAP-TLS credentials are mainly user-based.

MacBooks do not natively support joining AD so, unless the customer is using a 3rd party agent to join AD, it is not typically possible to authenticate the computer. One customer I've worked with used a 'shared' certificate (matching only the Issuer Name and CN in AuthC and AuthZ policies) across their fleet as a temporary workaround until they could uplift their PKI environment to support the scale they needed for SCEP to enrol individual user certificates.

 

Cheers,

Greg

View solution in original post

10 Replies 10

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-30-2020 03:39 PM

While the Apple Configurator tool might be useful for lab environments, my experience with several large enterprise customers is that they all use a more full-featured MDM like JAMF Pro to create and deploy profiles with network and certificate payloads to their managed Apple devices.

Both PEAP-MSCHAPv2 and EAP-TLS are options, and the decision on which is used depends mainly on the customer's business and security requirements. The majority I have worked with use EAP-TLS.

From what I've seen, Apple devices do not really have a separate Computer and User state, so PEAP or EAP-TLS credentials are mainly user-based.

MacBooks do not natively support joining AD so, unless the customer is using a 3rd party agent to join AD, it is not typically possible to authenticate the computer. One customer I've worked with used a 'shared' certificate (matching only the Issuer Name and CN in AuthC and AuthZ policies) across their fleet as a temporary workaround until they could uplift their PKI environment to support the scale they needed for SCEP to enrol individual user certificates.

 

Cheers,

Greg

Go to solution
josimaru85
Spotlight
Spotlight
In response to Greg Gibbs

‎01-30-2020 03:55 PM - edited ‎01-30-2020 03:56 PM

HI @Greg Gibbs Thanks for your reply!

 

So for this project I have few MacOS around 20 or 30.

Did you check my .pdf for the simple deployement do you think that is functional?

for Cisco ISE I am planning to configure under ISE 2.4 the follow rules and just to validate:

 

If true

PEAP + MAB Group + AD User condition

than pass

 

what do you think?

and I looking about Easy connect, do you think if this work nice with MacOS PC?

 

Regards,

Josinfo

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to josimaru85

‎01-30-2020 04:14 PM

I'm not sure about the reason for the 'MAB Group' condition unless you're using this to differentiate between a Mac and another device using the same user account. You would have to statically add the MAC addresses to an Endpoint ID Group, which does not scale well. It's easy to spoof a MAC address as well, so MAB shouldn't be used as a security control.

EasyConnect will not work as it requires ISE to basically snoop the Netlogon from the PC to AD. Since the Mac doesn't login to AD, EC is not possible.

Some observations on your profile:

  1. I've had issues in the past with testing a Wifi profile created from Apple Configurator for a wired connection. I'm not sure if Apple has changed something there, so you should test that.
  2. Without specifying the username and password, you would have to assume that the Apple device would prompt the user. I'm not sure if this is the behaviour for all Apple devices, so you would want to test that.
  3. I believe Apple devices still require trusting the CA chain that signed the certificate presented by the RADIUS server (ISE). I would suggest adding the CA chain in the profile payload as well.

Cheers,

Greg

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to josimaru85

‎01-30-2020 04:24 PM - edited ‎01-31-2020 04:28 PM

<removed duplicate reply>

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to josimaru85

‎01-30-2020 04:29 PM - edited ‎01-31-2020 04:29 PM

<removed duplicate reply>

0 Helpful

Go to solution
MU_B
Level 1
Level 1
In response to Greg Gibbs

‎10-26-2020 02:25 PM

Hi @Greg Gibbs 

 

We are trying to perform Machine and User Authentication on the macbook's for that we have our Desktop IT team created a computer level and user level profiles using JAMF Pro, the macbook's are not AD Joined, but the macbook machine names are part of domain computers group.

 

The ISE AuthZ profile is set to pass only if computer and user AuthC is passed successful. For the same policy sets the Windows PEAP-MSCAPv2 works good with MAR but we want to know how or what need to be done for the macbook's to have machine and user authentication. Without using NAM or any other supplicants.

 

Just like windows we want o use native supplicants on the MAC Books as well.

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to MU_B

‎10-26-2020 03:03 PM

The OSX supplicant works differently than Windows, so I'm not sure if ISE will even recognize the 'computer' login to match the 'was machine authenticated' condition for MAR.

When a Windows PC joins the domain, it creates a randomly generated password for the computer account. This password is used to authenticate the computer session with PEAP-MSCHAPv2, so I'm not sure how you are exporting this password to import it into the network profile for each individual Mac.

Are you seeing a successful 'computer' authentication in the ISE logs for the Macbooks?

I can't say I've seen this type of setup (and I recommend against any of my customers using MAR), so I can't say that it will actually work.

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-31-2020 07:55 AM

Every enterprise I have deployed ISE for has had an MDM that they did this from which changes the process somewhat. Workspace One for example (used to be called airwatch), will let you provisions certificates and push 802.1x profiles within the same profile. This also has the added benefit of being able to push the trust chain for EAP, which apple tends to require the root, intermediate, at ISE cert be pushed for trust.

The only downside I have found is on the mac book side, when you plug in to a 802.1x network, or join a 802.1x wireless network, the client will be prompted to select a certificate if there are multiple. If some other user cert has been pushed/installed, this can cause the user to select the incorrect cert.

So any MDM that the mac's are a part of?

Go to solution
Kevin S Hatch
Level 1
Level 1
In response to Damien Miller

‎03-09-2022 11:52 AM

Damien,

 

Is there a best practice, in regards to choosing which certificate to choose. Right now we have it working, but every 30 minutes it comes up to choose a certificate again.  looking for any help in determining how to fix this....

 

Kevin Hatch

Go to solution
MU_B
Level 1
Level 1

‎10-26-2020 02:33 PM - edited ‎10-26-2020 02:33 PM

We are trying to perform Machine and User Authentication on the macbook's for that we have our Desktop IT team created a computer level and user level profiles using JAMF Pro, the macbook's are not AD Joined, but the macbook machine names are part of domain computers group.

The ISE AuthZ profile is set to pass only if computer and user AuthC is passed successful. For the same policy sets the Windows PEAP-MSCAPv2 works good with MAR but we want to know how or what need to be done for the macbook's to have machine and user authentication. Without using NAM or any other supplicants.

Just like Windows (User or Computer Authentication) we want to use native supplicants on the MAC Books as well.

@_Warren

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents