Security

I've searched and searched and can't quite find a thread on here with the same symptoms. What I'd like to acheive is doing machine authentication with our Macs using a certificate assigned from our AD CA. I've got what I think is a very basic service configured, but the client keeps failing with "user not found". According to Access Tracker, it's not looking at AD as the authentication source even though it's specified. 

 

-Mac laptop (10.13.4) joined to AD

-It's getting the AD, ClearPass, and trusted CA certs via profile manager (I'm 99.9% sure this is all working as it should)

-AD CA cert installed in ClearPass trust list

-EAP TLS with authorization checkbox unchecked

-AD authentication source with default settings, working fine for EAP PEAP on production SSID

 

What am I missing?

 

Remove the authentication source from your service.

Ok that works, but I had to change my role mapping rules. I had tried that, but my role mappings were based on AD attributes so it was still failing, just with a slightly different error message.

Just to be clear, this service is only handling machine authentications, correct?

Yes it is, but this is only a test service. The plan would be to eventually add it to our production service which is now only doing EAP PEAP for user auth. I'm pretty sure I saw a config in an old thread for how to do that.

It would be better to keep machine auth in its own service since authorization is not enabled.

Makes sense. Is there a way I can do that if it's using the same SSID?

Yes, services are not tied to SSIDs.

Use service rules that check for:
Authentication:Full-Username BEGINS_WITH host/
Authentication:Full-Username ENDS_WITH .yourdomain.xyz