Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Apple (Mac) machine authentication with Clearpass

This thread has been viewed 26 times
  • 1.  Apple (Mac) machine authentication with Clearpass

    Posted Aug 14, 2019 02:31 PM

    Hello,

     

    I am trying to determine the best way to perform machine authentication, both over wired and wireless, to use with our Clearpass policies. 

     

    Right now, I have all of the policies based arond the machine authenticated role, which works great for Windows devices. However, the few Macs we have in our environment don't natively do machine auth. 

     

    I did find this article which looks promising

     

    https://aporlebeke.wordpress.com/2018/05/11/machine-authentication-on-macos-os-x-in-active-directory-environments-w-o-a-microsoft-ca/

     

    However, after trying it, even though it looks like it's creating a profile with the correct username in "host/" format and grabbing the machine auth PW from the keychain, authentication is failing on the clearpass side.

     

    Plus, I found some additional refernces that made it look like we'd also have to change a setting so the machine PW didn't change to prevent issues. That sounds like a pain.

     

    How are most people here handling machine auth for Mac laptops with clearpass? Are there any concise guides for the setup? We don't have a huge Mac userbase, so if it's even a script/profile that has to be installed once via manual execution, that would work. We do own Jamf, but the main Jamf person just left the company and I think that whole product is kind of on hold.

     

    Of course, I could try other options such as checking the host name and if the device is OSX, or checking the username and if the device is OSX, but it seems like it would be easy/possible to spoof both of those scenarios. 

     

    I maily am just curious to see if there are any updated/current guides, and what the industry/other people on here are doing in this situation...I'm new to clearpass and NAC in general.

     

    Thanks for the help!



  • 2.  RE: Apple (Mac) machine authentication with Clearpass

    Posted Sep 24, 2020 11:01 AM

    Did you ever get this working?  I need to set up the same thing and not finding much documentation



  • 3.  RE: Apple (Mac) machine authentication with Clearpass

    Posted Sep 24, 2020 11:43 AM

    Yes, I did get it working.

    I had to download the mac server utility (it was like $20) to allow me to create a mobileconfig profile.

    Unfortunantly it's hard for me to post the profile here because there's a lot of sensitive data I woud;d have to scrub.

    I used a lot of jamf articles to figure out how to set it up such as these

    https://www.jamf.com/jamf-nation/discussions/18322/understanding-802-1x-configuration-profiles
    https://www.jamf.com/jamf-nation/discussions/8282/802-1x-profiles-help#responseChild44231
    https://www.jamf.com/jamf-nation/discussions/29949/802-1x-machine-authentication-pre-login
    https://www.jamf.com/jamf-nation/discussions/15419/how-to-set-up-machine-based-authentication-for-802-1x-wi-fi


    I will see if I can get my hands on a mac again. If I can, perhaps I can make a generic profile based off of the one I had and post it here. There were some key steps to getting the profile to work in terms of options and I am struggling to remember what they were off the top of my head but I do have the xml mobile config so if you have questions on specific options I may at least be able to help by referencing it if I can't get my hands on a mac to look in the gui.

     

    As for the CP config, the policy looks to see if the username is a member of a Mac OU that we have in AD. Once you have everything working correctly, what happens is that the mac client sends its PC name as a USER AUTH in AD, NOT a machine auth, so you can't look for a status of machine authenticated. I had to look to make sure the "user" that was really the mac was in the mac ou, because the only way it comes up as being a member of the mac ou is if it auths correctly to AD. The mac pc username gets sent to the CP server in the format "domain\pcname$" so if you domain is example.com and the mac client name is mac, the username sent to CP will be "example.com\mac$" sent as a user auth.

     

    I hope that helps a bit, I know it's not a lot to go off of. Let me see if I can get my hands on a mac to get screenshots from the gui profile and/or scrub the xml enough...either one of those would help clear things up. There really isn't a lot of info on it and it took me hours of trial and error to figure out.

     

     



  • 4.  RE: Apple (Mac) machine authentication with Clearpass



  • 5.  RE: Apple (Mac) machine authentication with Clearpass

    Posted Sep 24, 2020 12:03 PM
    Thank you for your help on this - I have been pulling my hair out trying to
    figure out this.. It also doesnt help I am apple illiterate

    *Larry Simanek*
    *Systems Network Analyst *
    *619-644-8263*
    Grossmont Union High School District

    SAVE TIME TRY OUT NEW HELP DOCUMENTATION

    OPEN A TROUBLE TICKET - MOJO TICKETS


  • 6.  RE: Apple (Mac) machine authentication with Clearpass

    Posted Sep 24, 2020 12:09 PM

    Oh yeah, not a problem. I know how much of a pain it is to figure out which is why I wanted to reply. Give me a day or two to see if I can get you better info on that profile. I also knew nothing about apple and this was all trial by fire for me. 



  • 7.  RE: Apple (Mac) machine authentication with Clearpass

    Posted Jun 22, 2022 12:27 AM
    Just wondering whether the above method can be applied to mac os computers which are not bind to AD and managed by the MDM jamf? 
    Thanks a bunch again.


  • 8.  RE: Apple (Mac) machine authentication with Clearpass

    Posted Jun 23, 2022 08:22 AM
    Yes, you would just check the Mac in "MDM Enabled".  That would indicate that the Mac is joined and managed by jamf