01-08-2015 09:57 AM
I'm running the following:
Aruba OS = v18.104.22.168
ClearPass = v22.214.171.124428
EAP-TLS with 'enforce machine authentication' works perfectly with Windows 7. Enforce machine authentication is done on CPPM. However, I'm having trouble with MAC OSX and machine authentication. Do any of you guys know how MAC devices behave in regards to EAP-TLS machine authentication?
With Windows, my understanding is when it boots up (before user logs in), machine authentication happens. It either uses machine cert or AD computer account for machine authentication. In my case, since client supplicant is configured with EAP-TLS, it will use machine cert for machine authentication. Once user logs in, user cert is used for authentication. If user successully authenticates, CPPM will checks its cached for machine MAC which passes machine auth earlier and ties it to user auth. Hence, machine + user auth combination can be tied to a particular role on CPPM to give user full wifi access. The goal is to prevent non-AD devices from connecting to wifi. This works as expected.
With MAC OSX, I can't figure out how it behaves. I'm able to join MAC OSX to Windows AD so it has a computer account on AD. But from MAC OSX supplicant perspective, how to force it to use machine certificate for machine authentication versus using its AD computer account with its SID as password?
Thanks advance for the help.
01-08-2015 10:28 AM
There is no formal context of machine authentication with Macs.
Take a look at this: