01-30-2020 02:29 PM - edited 01-30-2020 02:46 PM
Hi everybody!
First of all I am not Apple Specialist, and I dont have ApplePC to test *******
I already know that we can face with Apple product during a Cisco ISE 2.4 deployoment and Apple has multiple operating systems:
And for Mobile devices (iOS and iPadOS) may be provisioned with ISE and BYOD. See Cisco ISE BYOD Prescriptive Deployment Guide for details on how to do this.
And For macOS, you must use the Apple Configurator Tool - an enterprise system administrator tool - to provision profiles containing certifications and configuration settings to your Apple workstations. So my question is:
What is more common under macOS deployment using Apple Configurator to create Cisco ISE Authentication and Authorization rules?
(01) PEAP+MAB+Domain Computer
(02) EAP-TLS+CA Credentials
(03) EasyConnect
I alredy tried to check some google links but nothing good.
**** I put in attach a template model that I did by myself and I dont know if good or not
I am looking for your reply
Josinfo
Solved! Go to Solution.
01-30-2020 03:39 PM
While the Apple Configurator tool might be useful for lab environments, my experience with several large enterprise customers is that they all use a more full-featured MDM like JAMF Pro to create and deploy profiles with network and certificate payloads to their managed Apple devices.
Both PEAP-MSCHAPv2 and EAP-TLS are options, and the decision on which is used depends mainly on the customer's business and security requirements. The majority I have worked with use EAP-TLS.
From what I've seen, Apple devices do not really have a separate Computer and User state, so PEAP or EAP-TLS credentials are mainly user-based.
MacBooks do not natively support joining AD so, unless the customer is using a 3rd party agent to join AD, it is not typically possible to authenticate the computer. One customer I've worked with used a 'shared' certificate (matching only the Issuer Name and CN in AuthC and AuthZ policies) across their fleet as a temporary workaround until they could uplift their PKI environment to support the scale they needed for SCEP to enrol individual user certificates.
Cheers,
Greg
01-30-2020 03:39 PM
While the Apple Configurator tool might be useful for lab environments, my experience with several large enterprise customers is that they all use a more full-featured MDM like JAMF Pro to create and deploy profiles with network and certificate payloads to their managed Apple devices.
Both PEAP-MSCHAPv2 and EAP-TLS are options, and the decision on which is used depends mainly on the customer's business and security requirements. The majority I have worked with use EAP-TLS.
From what I've seen, Apple devices do not really have a separate Computer and User state, so PEAP or EAP-TLS credentials are mainly user-based.
MacBooks do not natively support joining AD so, unless the customer is using a 3rd party agent to join AD, it is not typically possible to authenticate the computer. One customer I've worked with used a 'shared' certificate (matching only the Issuer Name and CN in AuthC and AuthZ policies) across their fleet as a temporary workaround until they could uplift their PKI environment to support the scale they needed for SCEP to enrol individual user certificates.
Cheers,
Greg
01-30-2020 03:55 PM - edited 01-30-2020 03:56 PM
HI @Greg Gibbs Thanks for your reply!
So for this project I have few MacOS around 20 or 30.
Did you check my .pdf for the simple deployement do you think that is functional?
for Cisco ISE I am planning to configure under ISE 2.4 the follow rules and just to validate:
If true
PEAP + MAB Group + AD User condition
than pass
what do you think?
and I looking about Easy connect, do you think if this work nice with MacOS PC?
Regards,
Josinfo
01-30-2020 04:14 PM
I'm not sure about the reason for the 'MAB Group' condition unless you're using this to differentiate between a Mac and another device using the same user account. You would have to statically add the MAC addresses to an Endpoint ID Group, which does not scale well. It's easy to spoof a MAC address as well, so MAB shouldn't be used as a security control.
EasyConnect will not work as it requires ISE to basically snoop the Netlogon from the PC to AD. Since the Mac doesn't login to AD, EC is not possible.
Some observations on your profile:
Cheers,
Greg
01-30-2020 04:24 PM - edited 01-31-2020 04:28 PM
<removed duplicate reply>
01-30-2020 04:29 PM - edited 01-31-2020 04:29 PM
<removed duplicate reply>
10-26-2020 02:25 PM
Hi @Greg Gibbs
We are trying to perform Machine and User Authentication on the macbook's for that we have our Desktop IT team created a computer level and user level profiles using JAMF Pro, the macbook's are not AD Joined, but the macbook machine names are part of domain computers group.
The ISE AuthZ profile is set to pass only if computer and user AuthC is passed successful. For the same policy sets the Windows PEAP-MSCAPv2 works good with MAR but we want to know how or what need to be done for the macbook's to have machine and user authentication. Without using NAM or any other supplicants.
Just like windows we want o use native supplicants on the MAC Books as well.
10-26-2020 03:03 PM
The OSX supplicant works differently than Windows, so I'm not sure if ISE will even recognize the 'computer' login to match the 'was machine authenticated' condition for MAR.
When a Windows PC joins the domain, it creates a randomly generated password for the computer account. This password is used to authenticate the computer session with PEAP-MSCHAPv2, so I'm not sure how you are exporting this password to import it into the network profile for each individual Mac.
Are you seeing a successful 'computer' authentication in the ISE logs for the Macbooks?
I can't say I've seen this type of setup (and I recommend against any of my customers using MAR), so I can't say that it will actually work.
01-31-2020 07:55 AM
03-09-2022 11:52 AM
Damien,
Is there a best practice, in regards to choosing which certificate to choose. Right now we have it working, but every 30 minutes it comes up to choose a certificate again. looking for any help in determining how to fix this....
Kevin Hatch
10-26-2020 02:33 PM - edited 10-26-2020 02:33 PM
We are trying to perform Machine and User Authentication on the macbook's for that we have our Desktop IT team created a computer level and user level profiles using JAMF Pro, the macbook's are not AD Joined, but the macbook machine names are part of domain computers group.
The ISE AuthZ profile is set to pass only if computer and user AuthC is passed successful. For the same policy sets the Windows PEAP-MSCAPv2 works good with MAR but we want to know how or what need to be done for the macbook's to have machine and user authentication. Without using NAM or any other supplicants.
Just like Windows (User or Computer Authentication) we want to use native supplicants on the MAC Books as well.
@_Warren
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide