Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

apple macosx machine authentication with ISE using EAP-TLS

Hello,

 

On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.

With windows machines all is working well. We are using computer authentication only.

Now the problem is that we wish to do the same with MAC OSX machines.

We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.

in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.

When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.

The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.

 

Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?

Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.

 

Thanks

 

Gustavo Novais

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

You can also do this directly

You can also do this directly on ISE now (as long as you are running the latest version). There is a feature called "Identity Rewrite" that is located under: Administration > External Identity Sources > AD > Advanced Settings > Scroll all of the way to the bottom. 

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!
4 REPLIES
New Member

Did anyone ever find the

Did anyone ever find the solution to this problem. Please email me asalazar@usac.org

Cisco Employee

You can also do this directly

You can also do this directly on ISE now (as long as you are running the latest version). There is a feature called "Identity Rewrite" that is located under: Administration > External Identity Sources > AD > Advanced Settings > Scroll all of the way to the bottom. 

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

Just for future reference, we

Just for future reference, we've managed to solve this by adding on the JAMF Casper interface  the host/$COMPUTERNAME variable.

I do not know if another provisioning solution would allow for this manipulation...

Hope this helps

Cisco Employee

Good job on resolving your

Good job on resolving your own issue! Also, thank you for taking the time to come back and update the thread! (+5 from me). 

You can also do this directly on ISE now (as long as you are running the latest version). There is a feature called "Identity Rewrite" that is located under: Administration > External Identity Sources > AD > Advanced Settings > Scroll all of the way to the bottom

Now, if your issue is resolved, you should mark the thread as "answered" ;)

Thank you for rating helpful posts!

Thank you for rating helpful posts!
1061
Views
25
Helpful
4
Replies
CreatePlease login to create content