Security

Reply
Contributor I
Posts: 21
Registered: ‎12-11-2012

Mac OS X wired authentication

Hi guys,

 

today I ran into a problem with authenticating Apple Mac OS X clientsvia 802.1X. The initial plan was to handle the Macs like Windows machines and authenticate them via computer authentication against the AD. After some googling I found out that there is no option to da a computer authentication on Macs. Even if they were in the domain.

 

So I decided to profile them and authenticate the user instead of the machine. What I want to do is the follwing:

 

Role Mapping 1:

if user auth (Authorization:Domain - memberof) and Apple Mac (Authorization:EndpointDB - OS Family) -> AppleMac

 

Enforcment:

if AppleMac -> VLAN xzy

 

I can see in access tracker that the user auth is working against the AD but the second condition (Endpoint DB) is failing.

I also tried to seperate the two authorization sources in two different role mappings and combine them in the enforcement - this fails also.

 

Does anyone have any clue why? Is there any problem with my config?

 

Maybe some can give me a hint to reach my goal in a better way?!

 

thanks in advance

All the clients are profiled via DHCP fingerprint and the Endpoint 

 

 

Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: Mac OS X wired authentication

The computer account for an OS X device can be used to authenticate to the
network either via PEAPv0/EAP-MSCHAPv2 or EAP-TLS.



Take a look at this:
https://www.jamf.com/jamf-nation/discussions/15419/how-to-set-up-machine-bas
ed-authentication-for-802-1x-wi-fi

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 21
Registered: ‎12-11-2012

Re: Mac OS X wired authentication

thanks cappalli. I found this guide earlier but it's not working anymore for me. It's stated that you can create a profile with the apple configurator (2). In this tool you can only select "WiFi" settings.

 

I also had a look in the onboard settings in Clearpass. For wired authentication the only available option is User Authentication. No Computer Auth.

 

Found this statement (2 years old):

"OSX will not be able to perform machine authentication like Windows machines. Even though they can be added as a computer in AD, Apple doesn't have an option for machine auth, only username and password." 

Contributor II
Posts: 50
Registered: ‎11-24-2014

Re: Mac OS X wired authentication

For our Macs, we role map based on the OU where the Mac computers live in the AD and the ending profiling device name of Mac OS X. Enforcement based on role assigned


#AirheadsMobile
Contributor I
Posts: 21
Registered: ‎12-11-2012

Re: Mac OS X wired authentication

hi efisher,

thanks for your answer. is it a wireless or wired authentication? can you screenshot your settings on the Mac side?

Search Airheads
Showing results for 
Search instead for 
Did you mean: