Wireless Access

Reply
New Contributor
Posts: 2
Registered: ‎08-19-2014

Enforce Machine Authentication with MAC OS X (EAP-TLS)

Hello,

 

I'm running the following:

Aruba OS = v6.4.2.3

ClearPass = v6.4.1.67428

 

EAP-TLS with 'enforce machine authentication' works perfectly with Windows 7. Enforce machine authentication is done on CPPM. However, I'm having trouble with MAC OSX and machine authentication. Do any of you guys know how MAC devices behave in regards to EAP-TLS machine authentication?

 

With Windows, my understanding is when it boots up (before user logs in), machine authentication happens. It either uses machine cert or AD computer account for machine authentication. In my case, since client supplicant is configured with EAP-TLS, it will use machine cert for machine authentication. Once user logs in, user cert is used for authentication. If user successully authenticates, CPPM will checks its cached for machine MAC which passes machine auth earlier and ties it to user auth. Hence, machine + user auth combination can be tied to a particular role on CPPM to give user full wifi access. The goal is to prevent non-AD devices from connecting to wifi. This works as expected.

 

With MAC OSX, I can't figure out how it behaves. I'm able to join MAC OSX to Windows AD so it has a computer account on AD. But from MAC OSX supplicant perspective, how to force it to use machine certificate for machine authentication versus using its AD computer account with its SID as password?  

 

Thanks advance for the help.

 

KT

 

 

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Enforce Machine Authentication with MAC OS X (EAP-TLS)

There is no formal context of machine authentication with Macs.

 

Take a look at this:

 

https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 2
Registered: ‎08-19-2014

Re: Enforce Machine Authentication with MAC OS X (EAP-TLS)

Thanks Tim! Will definitely try this.

Search Airheads
Showing results for 
Search instead for 
Did you mean: