I am trying to determine the best way to perform machine authentication, both over wired and wireless, to use with our Clearpass policies.
Right now, I have all of the policies based arond the machine authenticated role, which works great for Windows devices. However, the few Macs we have in our environment don't natively do machine auth.
I did find this article which looks promising
However, after trying it, even though it looks like it's creating a profile with the correct username in "host/" format and grabbing the machine auth PW from the keychain, authentication is failing on the clearpass side.
Plus, I found some additional refernces that made it look like we'd also have to change a setting so the machine PW didn't change to prevent issues. That sounds like a pain.
How are most people here handling machine auth for Mac laptops with clearpass? Are there any concise guides for the setup? We don't have a huge Mac userbase, so if it's even a script/profile that has to be installed once via manual execution, that would work. We do own Jamf, but the main Jamf person just left the company and I think that whole product is kind of on hold.
Of course, I could try other options such as checking the host name and if the device is OSX, or checking the username and if the device is OSX, but it seems like it would be easy/possible to spoof both of those scenarios.
I maily am just curious to see if there are any updated/current guides, and what the industry/other people on here are doing in this situation...I'm new to clearpass and NAC in general.
Thanks for the help!
Did you ever get this working? I need to set up the same thing and not finding much documentation
Yes, I did get it working.
I had to download the mac server utility (it was like $20) to allow me to create a mobileconfig profile.
Unfortunantly it's hard for me to post the profile here because there's a lot of sensitive data I woud;d have to scrub.
I used a lot of jamf articles to figure out how to set it up such as these
I will see if I can get my hands on a mac again. If I can, perhaps I can make a generic profile based off of the one I had and post it here. There were some key steps to getting the profile to work in terms of options and I am struggling to remember what they were off the top of my head but I do have the xml mobile config so if you have questions on specific options I may at least be able to help by referencing it if I can't get my hands on a mac to look in the gui.
As for the CP config, the policy looks to see if the username is a member of a Mac OU that we have in AD. Once you have everything working correctly, what happens is that the mac client sends its PC name as a USER AUTH in AD, NOT a machine auth, so you can't look for a status of machine authenticated. I had to look to make sure the "user" that was really the mac was in the mac ou, because the only way it comes up as being a member of the mac ou is if it auths correctly to AD. The mac pc username gets sent to the CP server in the format "domain\pcname$" so if you domain is example.com and the mac client name is mac, the username sent to CP will be "example.com\mac$" sent as a user auth.
I hope that helps a bit, I know it's not a lot to go off of. Let me see if I can get my hands on a mac to get screenshots from the gui profile and/or scrub the xml enough...either one of those would help clear things up. There really isn't a lot of info on it and it took me hours of trial and error to figure out.
Found some additional links I used in the meantime
Also, note that I put the certs we use directly in the mobileconfig profile. I don't request any certs from a CA or anything of that nature.
Oh yeah, not a problem. I know how much of a pain it is to figure out which is why I wanted to reply. Give me a day or two to see if I can get you better info on that profile. I also knew nothing about apple and this was all trial by fire for me.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.