02-02-2017 06:44 AM
I've managed to thoroughly confuse myself with something that I thought was going to be simple.
We have some AD joined Mac's, and since they don't do machine authentication, I'm having trouble getting them the right CPPM roles.
Rather than manually build a SHL or Endpoint list, I was hoping that I would be able to query the AD operatingSystem attribute and thus intelligently do the role mappings. (Authorization: AD: operatingSystem : contains: Mac)
Unfortunately, in the access tracker, I'm not seeing it under authorization attributes or computed attributes, thus, it's not mapping correctly.
Am I missing something obvious, or could it be because the RADIUS request is coming through as a user request?
02-02-2017 07:08 AM
Since you're doing a user authentication in this case, you won't be able to use computer properties.
You have a few options:
1) use the device registration database built into ClearPass to register them with a certain tag.
2) Set up Mac machine authentication
3) Issue certs to the Macs with a unique property.
02-02-2017 10:18 AM
1.) I was trying to avoid manual (but it'll work)
2.) I am NOT seeing a way to do this, unless you use TLS with certificates (I'm using PEAP)
3.) Arrrrrgh more certificates!!! :)