Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Enforce Machine Authentication with MAC OS X (EAP-TLS)

This thread has been viewed 4 times
  • 1.  Enforce Machine Authentication with MAC OS X (EAP-TLS)

    Posted Jan 08, 2015 12:58 PM

    Hello,

     

    I'm running the following:

    Aruba OS = v6.4.2.3

    ClearPass = v6.4.1.67428

     

    EAP-TLS with 'enforce machine authentication' works perfectly with Windows 7. Enforce machine authentication is done on CPPM. However, I'm having trouble with MAC OSX and machine authentication. Do any of you guys know how MAC devices behave in regards to EAP-TLS machine authentication?

     

    With Windows, my understanding is when it boots up (before user logs in), machine authentication happens. It either uses machine cert or AD computer account for machine authentication. In my case, since client supplicant is configured with EAP-TLS, it will use machine cert for machine authentication. Once user logs in, user cert is used for authentication. If user successully authenticates, CPPM will checks its cached for machine MAC which passes machine auth earlier and ties it to user auth. Hence, machine + user auth combination can be tied to a particular role on CPPM to give user full wifi access. The goal is to prevent non-AD devices from connecting to wifi. This works as expected.

     

    With MAC OSX, I can't figure out how it behaves. I'm able to join MAC OSX to Windows AD so it has a computer account on AD. But from MAC OSX supplicant perspective, how to force it to use machine certificate for machine authentication versus using its AD computer account with its SID as password?  

     

    Thanks advance for the help.

     

    KT

     

     



  • 2.  RE: Enforce Machine Authentication with MAC OS X (EAP-TLS)

    EMPLOYEE
    Posted Jan 08, 2015 01:29 PM

    There is no formal context of machine authentication with Macs.

     

    Take a look at this:

     

    https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/

     



  • 3.  RE: Enforce Machine Authentication with MAC OS X (EAP-TLS)

    Posted Jan 09, 2015 09:43 AM

    Thanks Tim! Will definitely try this.