Security

Hello,

 

I am trying to determine the best way to perform machine authentication, both over wired and wireless, to use with our Clearpass policies. 

 

Right now, I have all of the policies based arond the machine authenticated role, which works great for Windows devices. However, the few Macs we have in our environment don't natively do machine auth. 

 

I did find this article which looks promising

 

https://aporlebeke.wordpress.com/2018/05/11/machine-authentication-on-macos-os-x-in-active-directory-environments-w-o-a-microsoft-ca/

 

However, after trying it, even though it looks like it's creating a profile with the correct username in "host/" format and grabbing the machine auth PW from the keychain, authentication is failing on the clearpass side.

 

Plus, I found some additional refernces that made it look like we'd also have to change a setting so the machine PW didn't change to prevent issues. That sounds like a pain.

 

How are most people here handling machine auth for Mac laptops with clearpass? Are there any concise guides for the setup? We don't have a huge Mac userbase, so if it's even a script/profile that has to be installed once via manual execution, that would work. We do own Jamf, but the main Jamf person just left the company and I think that whole product is kind of on hold.

 

Of course, I could try other options such as checking the host name and if the device is OSX, or checking the username and if the device is OSX, but it seems like it would be easy/possible to spoof both of those scenarios. 

 

I maily am just curious to see if there are any updated/current guides, and what the industry/other people on here are doing in this situation...I'm new to clearpass and NAC in general.

 

Thanks for the help!

Did you ever get this working?  I need to set up the same thing and not finding much documentation

Yes, I did get it working.

I had to download the mac server utility (it was like $20) to allow me to create a mobileconfig profile.

Unfortunantly it's hard for me to post the profile here because there's a lot of sensitive data I woud;d have to scrub.

I used a lot of jamf articles to figure out how to set it up such as these

https://www.jamf.com/jamf-nation/discussions/18322/understanding-802-1x-configuration-profiles
https://www.jamf.com/jamf-nation/discussions/8282/802-1x-profiles-help#responseChild44231
https://www.jamf.com/jamf-nation/discussions/29949/802-1x-machine-authentication-pre-login
https://www.jamf.com/jamf-nation/discussions/15419/how-to-set-up-machine-based-authentication-for-802-1x-wi-fi

I will see if I can get my hands on a mac again. If I can, perhaps I can make a generic profile based off of the one I had and post it here. There were some key steps to getting the profile to work in terms of options and I am struggling to remember what they were off the top of my head but I do have the xml mobile config so if you have questions on specific options I may at least be able to help by referencing it if I can't get my hands on a mac to look in the gui.

 

As for the CP config, the policy looks to see if the username is a member of a Mac OU that we have in AD. Once you have everything working correctly, what happens is that the mac client sends its PC name as a USER AUTH in AD, NOT a machine auth, so you can't look for a status of machine authenticated. I had to look to make sure the "user" that was really the mac was in the mac ou, because the only way it comes up as being a member of the mac ou is if it auths correctly to AD. The mac pc username gets sent to the CP server in the format "domain\pcname$" so if you domain is example.com and the mac client name is mac, the username sent to CP will be "example.com\mac$" sent as a user auth.

 

I hope that helps a bit, I know it's not a lot to go off of. Let me see if I can get my hands on a mac to get screenshots from the gui profile and/or scrub the xml enough...either one of those would help clear things up. There really isn't a lot of info on it and it took me hours of trial and error to figure out.

 

 

Found some additional links I used in the meantime 

 

https://community.spiceworks.com/topic/1985872-creating-802-1x-profile-for-mac-os
https://community.spiceworks.com/topic/2125185-802-1x-machine-authentication-macs-based-on-windows-enviromment
https://community.arubanetworks.com/t5/Wireless-Access/Enforce-Machine-Authentication-with-MAC-OS-X-EAP-TLS/td-p/222875
https://discussions.apple.com/thread/4433348

 

Also, note that I put the certs we use directly in the mobileconfig profile. I don't request any certs from a CA or anything of that nature. 

Thank you for your help on this - I have been pulling my hair out trying to
figure out this.. It also doesnt help I am apple illiterate

*Larry Simanek*
*Systems Network Analyst *
*619-644-8263*
Grossmont Union High School District

SAVE TIME TRY OUT NEW HELP DOCUMENTATION

OPEN A TROUBLE TICKET - MOJO TICKETS

Oh yeah, not a problem. I know how much of a pain it is to figure out which is why I wanted to reply. Give me a day or two to see if I can get you better info on that profile. I also knew nothing about apple and this was all trial by fire for me. 

Just wondering whether the above method can be applied to mac os computers which are not bind to AD and managed by the MDM jamf? 
Thanks a bunch again.
Original Message:
Sent: Sep 24, 2020 12:08 PM
From: Jake K
Subject: Apple (Mac) machine authentication with Clearpass

Oh yeah, not a problem. I know how much of a pain it is to figure out which is why I wanted to reply. Give me a day or two to see if I can get you better info on that profile. I also knew nothing about apple and this was all trial by fire for me. 

Yes, you would just check the Mac in "MDM Enabled".  That would indicate that the Mac is joined and managed by jamf
Original Message:
Sent: Jun 21, 2022 11:19 PM
From: Chris Looi
Subject: Apple (Mac) machine authentication with Clearpass

Just wondering whether the above method can be applied to mac os computers which are not bind to AD and managed by the MDM jamf? 
Thanks a bunch again.
Original Message:
Sent: Sep 24, 2020 12:08 PM
From: Jake K
Subject: Apple (Mac) machine authentication with Clearpass

Oh yeah, not a problem. I know how much of a pain it is to figure out which is why I wanted to reply. Give me a day or two to see if I can get you better info on that profile. I also knew nothing about apple and this was all trial by fire for me.