Mac OS authentication to NAC OOB VGW 4.7.2

Answered Question
Jun 18th, 2010

I realize that the Mac's in our OOB VGW environment can't do SSO like the Window's machines. Since I don't want to get into the business of managing a lot of userid's and passwords I've been trying to come up with alternatives.

The first one that comes to mind is a "group" ID and password in the local DB that the Mac users can use. Simple but from a security standpoint not a good idea.

The second thought is to create a second authentication server where Mac users could point to when the login screen pops up.

Are there any caveats to using the second auth server? Is there any chance it cold cause problems with SSO?

Thanks!

Bob

I have this problem too.
0 votes
Correct Answer by Faisal Sehbai about 6 years 5 months ago

Robert,

You can use either a MAC user page, or just set LDAP on your default page. This way if any of your Windows machine fails authentication too for any reason, they will have the option to use LDAP to log in. Either should work just fine.

Same username for LDAP setup would work fine too.

HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Faisal Sehbai Fri, 06/18/2010 - 10:17

Bob,

Second auth server's the way to go. Make it LDAP, so they'll just have to re-use their AD credentials.

It wouldn't cause any issues with your existing AD SSO.

HTH,

Faisal

Robert Slusar Mon, 06/21/2010 - 12:43

Thanks Faisal!

Since our LDAP auth servers are the same as our AD or at least a subset of the AD servers we were going to use the same User Name that we use for AD-SSO. Is that OK or do we need to use something entirely different.

I have  a followup question - working on the premise that I have the LDAP authentication working how do I actually direct the Mac users to the LDAP authentication? (They are using the Mac Agent.)

The way that seems to make the most sense tome is to a User Login Page that is specific to the Mac OS. (I have configured the login page and enabled it so I guess we'll see.)

Correct Answer
Faisal Sehbai Tue, 06/22/2010 - 06:56

Robert,

You can use either a MAC user page, or just set LDAP on your default page. This way if any of your Windows machine fails authentication too for any reason, they will have the option to use LDAP to log in. Either should work just fine.

Same username for LDAP setup would work fine too.

HTH,

Faisal

Robert Slusar Tue, 06/22/2010 - 09:11

Faisal,

I attempted to point to a User Login page for Macintosh and the login failed. They are using the Mac Agent for Ver 4.7.2 but when they connect they don't get the Mac logion page they get the default OS "All" page.

I have attached the screen scrapes of the MAC login page.

Is there a way to specifically point the Mac devices to the page? I was working on the impression that NAC should recognize the OS and point them to it. (I must be missing a step!)

Faisal Sehbai Tue, 06/22/2010 - 09:49

Rob,

What's the order of the user pages? Can you post a screenshot of that? If ALL is above MAC_ALL, then the MAC will hit that first and not look further.

HTH,

Faisal

Robert Slusar Wed, 06/23/2010 - 11:46

Faisal,

I did have the MAC_ALL at the top. I have since altered ALL to also behave differently, that is I added the LDAP server for authentication and made the LDAP server the default provider.

The only screen that pops up is the generic default screen (see attached) that is seen when a user's Window PC is redirected to the CAS after opening a HTTP session.

I must be missing something really basic. What control's the login screen that is seen by a user when they are using an installed agent (corporate device) or a Web Agents (Contractor's device)? The user's page Login Page implies it is OS as in the case of MAC_ALL.

Robert Slusar Thu, 06/24/2010 - 10:20

OK - Now I am embarrassed.

When everything looks like it should work - Reboot! (The CAS.)

I now get drop down on the MAC OSx 4.7.2.507 CCA agent as well as Webagent.

Actions

This Discussion