Security

last person joined: 19 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Mac OS X wired authentication

This thread has been viewed 4 times

  • 1.  Mac OS X wired authentication

    Posted Nov 09, 2016 12:49 PM

    Hi guys,

     

    today I ran into a problem with authenticating Apple Mac OS X clientsvia 802.1X. The initial plan was to handle the Macs like Windows machines and authenticate them via computer authentication against the AD. After some googling I found out that there is no option to da a computer authentication on Macs. Even if they were in the domain.

     

    So I decided to profile them and authenticate the user instead of the machine. What I want to do is the follwing:

     

    Role Mapping 1:

    if user auth (Authorization:Domain - memberof) and Apple Mac (Authorization:EndpointDB - OS Family) -> AppleMac

     

    Enforcment:

    if AppleMac -> VLAN xzy

     

    I can see in access tracker that the user auth is working against the AD but the second condition (Endpoint DB) is failing.

    I also tried to seperate the two authorization sources in two different role mappings and combine them in the enforcement - this fails also.

     

    Does anyone have any clue why? Is there any problem with my config?

     

    Maybe some can give me a hint to reach my goal in a better way?!

     

    thanks in advance

    All the clients are profiled via DHCP fingerprint and the Endpoint 

     

     



  • 2.  RE: Mac OS X wired authentication

    EMPLOYEE
    Posted Nov 09, 2016 01:50 PM
    The computer account for an OS X device can be used to authenticate to the
    network either via PEAPv0/EAP-MSCHAPv2 or EAP-TLS.



    Take a look at this:
    https://www.jamf.com/jamf-nation/discussions/15419/how-to-set-up-machine-bas
    ed-authentication-for-802-1x-wi-fi


  • 3.  RE: Mac OS X wired authentication

    Posted Nov 09, 2016 02:13 PM

    thanks cappalli. I found this guide earlier but it's not working anymore for me. It's stated that you can create a profile with the apple configurator (2). In this tool you can only select "WiFi" settings.

     

    I also had a look in the onboard settings in Clearpass. For wired authentication the only available option is User Authentication. No Computer Auth.

     

    Found this statement (2 years old):

    "OSX will not be able to perform machine authentication like Windows machines. Even though they can be added as a computer in AD, Apple doesn't have an option for machine auth, only username and password." 



  • 4.  RE: Mac OS X wired authentication
    Best Answer

    Posted Nov 09, 2016 11:14 PM
    For our Macs, we role map based on the OU where the Mac computers live in the AD and the ending profiling device name of Mac OS X. Enforcement based on role assigned


    #AirheadsMobile


  • 5.  RE: Mac OS X wired authentication
    Best Answer

    Posted Nov 10, 2016 01:21 AM

    hi efisher,

    thanks for your answer. is it a wireless or wired authentication? can you screenshot your settings on the Mac side?