Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2272
Views
0
Helpful
3
Replies

MacBook Pro WSA Authentication

Go to solution
jmhouse96
Level 1
Level 1

‎05-29-2018 09:54 AM - edited ‎03-08-2019 07:45 PM

I am looking for some best practice around authentication for MacBook Pro users on my network. We require authentication and would like it to be secure auth like a windows machine.

 

Our Current deployment uses ldap and TAC showed us the secure LDAP feature, but we do not want to decrypt all of the packets to make this work. I can enable NTLM, but when using Chrome or Firefox there is a prompt and it is sending those creds over clear text as far as I know.

 

I am looking for suggestions on how other authenticate these devices through the WSA because I keep seeing posts on creating auth bypass for Mac and that is not an option for me. 

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmhouse96
Level 1
Level 1
In response to Handy Putra

‎08-06-2018 11:02 AM

I have spent many hours on the phone with TAC and reading the Cisco documentation provided. We came to find that the biggest issue here was the EXT domian we were attempting to use was not a supported scenario for Kerberos authentication. Now I have joined the WSA to a RW DC and then pointed it to a RO DC for authentication moving forward. The RO DC has a two way trust with the WR DC as well. This is also something that TAC advised should be in place. The other major thing to mention here is in all pac files we have used in the past we pointed to an IP. You cannot use an IP address as the redirect from what I can tell for redirect.

 

I did find something interesting with Windows machines versus Macs. When I redirect with a Mac I can use Ironport1 as the redirect name, but with Windows I need to use Ironport1.Cisco.com. I did not do much reading as to why this is, but it is working now. 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Handy Putra
Cisco Employee
Cisco Employee

‎05-29-2018 09:41 PM

Hi,

 

You might consider using Kerberos authentication with MAC OS.

 

I have attached the tech note pdf "How to" guide for this and see if that suitable in your environment.

 

Regards

Handy Putra

Preview file
1114 KB
0 Helpful

Go to solution
jmhouse96
Level 1
Level 1
In response to Handy Putra

‎08-06-2018 11:02 AM

I have spent many hours on the phone with TAC and reading the Cisco documentation provided. We came to find that the biggest issue here was the EXT domian we were attempting to use was not a supported scenario for Kerberos authentication. Now I have joined the WSA to a RW DC and then pointed it to a RO DC for authentication moving forward. The RO DC has a two way trust with the WR DC as well. This is also something that TAC advised should be in place. The other major thing to mention here is in all pac files we have used in the past we pointed to an IP. You cannot use an IP address as the redirect from what I can tell for redirect.

 

I did find something interesting with Windows machines versus Macs. When I redirect with a Mac I can use Ironport1 as the redirect name, but with Windows I need to use Ironport1.Cisco.com. I did not do much reading as to why this is, but it is working now. 

 

0 Helpful

Go to solution
jmhouse96
Level 1
Level 1
In response to Handy Putra

‎10-30-2018 01:06 PM

Over the past year working with TAC it seems because of our setup there are some items that are missed when troubleshooting with TAC. I am closer to getting this to work, but now continue to hit bugs on 10.5.x code levels and waiting for an update in a little over a week to hopefully put this behind me. 

0 Helpful
Customers Also Viewed These Support Documents