Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

domain membership of a machine hitting MAC auth service

  • 1.  domain membership of a machine hitting MAC auth service

    Posted Jul 16, 2019 01:03 AM

    There are many Apple MACOS machines which dont have the certificate and dot1x settings are not enabled on them

     

    Those machines are however part of domain . They are hitting the MAC Auth service .

     

    Can i make a rule in enforcement policy to check if the machine is part of domain or not ?

     

    How to do it ?



  • 2.  RE: domain membership of a machine hitting MAC auth service

    Posted Jul 16, 2019 05:45 AM

    Any Update ?



  • 3.  RE: domain membership of a machine hitting MAC auth service

    Posted Jul 16, 2019 06:30 AM

    Hello,

     

    I am curious to know more when you say MACOS machines are part of domain. Are they joined to domain same way as Windows devices (can they also perform machine auth)?

     

    Machine auth is one clear way to distinguish a User auth v/s a Machine performing auth and we can perform AD authorization to confirm the AD attributes.

     

    Now coming to your question. We need to see what are the service conditions for your MAC-auth service. Can you share that?

     

    Also could you confirm if the MACOS machines are forwarding the user-name as MAC-Address (meaning it's performing a MAC-auth as well)?

     

    So as long as MAC machines send machine name (just like Windows machines perform machine auth), we could do a enforcemnt check.

     

    Or we can also check for the MAC's machine attributes in AD to validate (but it all depends what usernmae is presented by the device).



  • 4.  RE: domain membership of a machine hitting MAC auth service

    Posted Jul 16, 2019 07:20 AM

    MACOS machines are currently doing MAC Authentication and sending mac address  as username.

     

    Authentication is to allow ALL MAC and autorization is Endpoint repository .

     

    So within this MAC Auth Service , is it possible to create an enforcement rule to get the Additional check of AD for these macos machines?

     



  • 5.  RE: domain membership of a machine hitting MAC auth service

    Posted Jul 16, 2019 09:37 AM
    Waiting for an update?


  • 6.  RE: domain membership of a machine hitting MAC auth service

    Posted Jul 16, 2019 09:41 AM

    Community is not an immediate support channel. If you need immediate assistance, please open a TAC case or engage your Aruba partner.