11-09-2016 09:48 AM
today I ran into a problem with authenticating Apple Mac OS X clientsvia 802.1X. The initial plan was to handle the Macs like Windows machines and authenticate them via computer authentication against the AD. After some googling I found out that there is no option to da a computer authentication on Macs. Even if they were in the domain.
So I decided to profile them and authenticate the user instead of the machine. What I want to do is the follwing:
Role Mapping 1:
if user auth (Authorization:Domain - memberof) and Apple Mac (Authorization:EndpointDB - OS Family) -> AppleMac
if AppleMac -> VLAN xzy
I can see in access tracker that the user auth is working against the AD but the second condition (Endpoint DB) is failing.
I also tried to seperate the two authorization sources in two different role mappings and combine them in the enforcement - this fails also.
Does anyone have any clue why? Is there any problem with my config?
Maybe some can give me a hint to reach my goal in a better way?!
thanks in advance
All the clients are profiled via DHCP fingerprint and the Endpoint
Solved! Go to Solution.
11-09-2016 10:50 AM
network either via PEAPv0/EAP-MSCHAPv2 or EAP-TLS.
Take a look at this:
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
11-09-2016 11:12 AM
thanks cappalli. I found this guide earlier but it's not working anymore for me. It's stated that you can create a profile with the apple configurator (2). In this tool you can only select "WiFi" settings.
I also had a look in the onboard settings in Clearpass. For wired authentication the only available option is User Authentication. No Computer Auth.
Found this statement (2 years old):
"OSX will not be able to perform machine authentication like Windows machines. Even though they can be added as a computer in AD, Apple doesn't have an option for machine auth, only username and password."
11-09-2016 08:13 PM