Frequent Contributor I

Mac OS X wired authentication

Hi guys,


today I ran into a problem with authenticating Apple Mac OS X clientsvia 802.1X. The initial plan was to handle the Macs like Windows machines and authenticate them via computer authentication against the AD. After some googling I found out that there is no option to da a computer authentication on Macs. Even if they were in the domain.


So I decided to profile them and authenticate the user instead of the machine. What I want to do is the follwing:


Role Mapping 1:

if user auth (Authorization:Domain - memberof) and Apple Mac (Authorization:EndpointDB - OS Family) -> AppleMac



if AppleMac -> VLAN xzy


I can see in access tracker that the user auth is working against the AD but the second condition (Endpoint DB) is failing.

I also tried to seperate the two authorization sources in two different role mappings and combine them in the enforcement - this fails also.


Does anyone have any clue why? Is there any problem with my config?


Maybe some can give me a hint to reach my goal in a better way?!


thanks in advance

All the clients are profiled via DHCP fingerprint and the Endpoint 



Network Engineer
ACCX #931 | ACMP
Guru Elite

Re: Mac OS X wired authentication

The computer account for an OS X device can be used to authenticate to the
network either via PEAPv0/EAP-MSCHAPv2 or EAP-TLS.

Take a look at this:

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: Mac OS X wired authentication

thanks cappalli. I found this guide earlier but it's not working anymore for me. It's stated that you can create a profile with the apple configurator (2). In this tool you can only select "WiFi" settings.


I also had a look in the onboard settings in Clearpass. For wired authentication the only available option is User Authentication. No Computer Auth.


Found this statement (2 years old):

"OSX will not be able to perform machine authentication like Windows machines. Even though they can be added as a computer in AD, Apple doesn't have an option for machine auth, only username and password." 

Network Engineer
ACCX #931 | ACMP
Frequent Contributor I

Re: Mac OS X wired authentication

For our Macs, we role map based on the OU where the Mac computers live in the AD and the ending profiling device name of Mac OS X. Enforcement based on role assigned

Frequent Contributor I

Re: Mac OS X wired authentication

hi efisher,

thanks for your answer. is it a wireless or wired authentication? can you screenshot your settings on the Mac side?

Network Engineer
ACCX #931 | ACMP
Search Airheads
Showing results for 
Search instead for 
Did you mean: