cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2604
Views
35
Helpful
9
Replies
josimaru85
Beginner

MacOS PC 802.1x Native Suplicant

Hi everybody!

 

First of all I am not Apple Specialist, and I dont have ApplePC to test *******

 

I already know that we can face with Apple product during a Cisco ISE 2.4 deployoment and Apple has multiple operating systems:

  • macOS (workstations/laptops)
  • iOS (iPhone)
  • iPadOS (iPads).

And for Mobile devices (iOS and iPadOS) may be provisioned with ISE and BYOD. See Cisco ISE BYOD Prescriptive Deployment Guide for details on how to do this.

 

And For macOS, you must use the Apple Configurator Tool - an enterprise system administrator tool - to provision profiles containing certifications and configuration settings to your Apple workstations. So my question is:

 

What is more common under macOS deployment using Apple Configurator to create Cisco ISE Authentication and Authorization rules?

 

(01) PEAP+MAB+Domain Computer

(02) EAP-TLS+CA Credentials

(03) EasyConnect

 

I alredy tried to check some google links but nothing good.

 

**** I put in attach a template model that I did by myself and I dont know if good or not

 

 

I am looking for your reply

Josinfo

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Greg Gibbs
Cisco Employee

While the Apple Configurator tool might be useful for lab environments, my experience with several large enterprise customers is that they all use a more full-featured MDM like JAMF Pro to create and deploy profiles with network and certificate payloads to their managed Apple devices.

Both PEAP-MSCHAPv2 and EAP-TLS are options, and the decision on which is used depends mainly on the customer's business and security requirements. The majority I have worked with use EAP-TLS.

From what I've seen, Apple devices do not really have a separate Computer and User state, so PEAP or EAP-TLS credentials are mainly user-based.

MacBooks do not natively support joining AD so, unless the customer is using a 3rd party agent to join AD, it is not typically possible to authenticate the computer. One customer I've worked with used a 'shared' certificate (matching only the Issuer Name and CN in AuthC and AuthZ policies) across their fleet as a temporary workaround until they could uplift their PKI environment to support the scale they needed for SCEP to enrol individual user certificates.

 

Cheers,

Greg

View solution in original post

9 REPLIES 9
Greg Gibbs
Cisco Employee

While the Apple Configurator tool might be useful for lab environments, my experience with several large enterprise customers is that they all use a more full-featured MDM like JAMF Pro to create and deploy profiles with network and certificate payloads to their managed Apple devices.

Both PEAP-MSCHAPv2 and EAP-TLS are options, and the decision on which is used depends mainly on the customer's business and security requirements. The majority I have worked with use EAP-TLS.

From what I've seen, Apple devices do not really have a separate Computer and User state, so PEAP or EAP-TLS credentials are mainly user-based.

MacBooks do not natively support joining AD so, unless the customer is using a 3rd party agent to join AD, it is not typically possible to authenticate the computer. One customer I've worked with used a 'shared' certificate (matching only the Issuer Name and CN in AuthC and AuthZ policies) across their fleet as a temporary workaround until they could uplift their PKI environment to support the scale they needed for SCEP to enrol individual user certificates.

 

Cheers,

Greg

View solution in original post

HI @Greg Gibbs Thanks for your reply!

 

So for this project I have few MacOS around 20 or 30.

Did you check my .pdf for the simple deployement do you think that is functional?

for Cisco ISE I am planning to configure under ISE 2.4 the follow rules and just to validate:

 

If true

PEAP + MAB Group + AD User condition

than pass

 

what do you think?

and I looking about Easy connect, do you think if this work nice with MacOS PC?

 

Regards,

Josinfo

I'm not sure about the reason for the 'MAB Group' condition unless you're using this to differentiate between a Mac and another device using the same user account. You would have to statically add the MAC addresses to an Endpoint ID Group, which does not scale well. It's easy to spoof a MAC address as well, so MAB shouldn't be used as a security control.

EasyConnect will not work as it requires ISE to basically snoop the Netlogon from the PC to AD. Since the Mac doesn't login to AD, EC is not possible.

Some observations on your profile:

  1. I've had issues in the past with testing a Wifi profile created from Apple Configurator for a wired connection. I'm not sure if Apple has changed something there, so you should test that.
  2. Without specifying the username and password, you would have to assume that the Apple device would prompt the user. I'm not sure if this is the behaviour for all Apple devices, so you would want to test that.
  3. I believe Apple devices still require trusting the CA chain that signed the certificate presented by the RADIUS server (ISE). I would suggest adding the CA chain in the profile payload as well.

Cheers,

Greg

<removed duplicate reply>

<removed duplicate reply>

Hi @Greg Gibbs 

 

We are trying to perform Machine and User Authentication on the macbook's for that we have our Desktop IT team created a computer level and user level profiles using JAMF Pro, the macbook's are not AD Joined, but the macbook machine names are part of domain computers group.

 

The ISE AuthZ profile is set to pass only if computer and user AuthC is passed successful. For the same policy sets the Windows PEAP-MSCAPv2 works good with MAR but we want to know how or what need to be done for the macbook's to have machine and user authentication. Without using NAM or any other supplicants.

 

Just like windows we want o use native supplicants on the MAC Books as well.

The OSX supplicant works differently than Windows, so I'm not sure if ISE will even recognize the 'computer' login to match the 'was machine authenticated' condition for MAR.

When a Windows PC joins the domain, it creates a randomly generated password for the computer account. This password is used to authenticate the computer session with PEAP-MSCHAPv2, so I'm not sure how you are exporting this password to import it into the network profile for each individual Mac.

Are you seeing a successful 'computer' authentication in the ISE logs for the Macbooks?

I can't say I've seen this type of setup (and I recommend against any of my customers using MAR), so I can't say that it will actually work.

Damien Miller
VIP Advisor

Every enterprise I have deployed ISE for has had an MDM that they did this from which changes the process somewhat. Workspace One for example (used to be called airwatch), will let you provisions certificates and push 802.1x profiles within the same profile. This also has the added benefit of being able to push the trust chain for EAP, which apple tends to require the root, intermediate, at ISE cert be pushed for trust.

The only downside I have found is on the mac book side, when you plug in to a 802.1x network, or join a 802.1x wireless network, the client will be prompted to select a certificate if there are multiple. If some other user cert has been pushed/installed, this can cause the user to select the incorrect cert.

So any MDM that the mac's are a part of?

MU_B
Beginner

We are trying to perform Machine and User Authentication on the macbook's for that we have our Desktop IT team created a computer level and user level profiles using JAMF Pro, the macbook's are not AD Joined, but the macbook machine names are part of domain computers group.

The ISE AuthZ profile is set to pass only if computer and user AuthC is passed successful. For the same policy sets the Windows PEAP-MSCAPv2 works good with MAR but we want to know how or what need to be done for the macbook's to have machine and user authentication. Without using NAM or any other supplicants.

Just like Windows (User or Computer Authentication) we want to use native supplicants on the MAC Books as well.

@_Warren

Content for Community-Ad