09-23-2014 12:24 PM - edited 03-10-2019 10:03 PM
Hello,
On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
With windows machines all is working well. We are using computer authentication only.
Now the problem is that we wish to do the same with MAC OSX machines.
We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
Thanks
Gustavo Novais
Solved! Go to Solution.
12-16-2016 07:09 PM
You can also do this directly on ISE now (as long as you are running the latest version). There is a feature called "Identity Rewrite" that is located under: Administration > External Identity Sources > AD > Advanced Settings > Scroll all of the way to the bottom.
I hope this helps!
Thank you for rating helpful posts!
12-16-2016 09:28 AM
Did anyone ever find the solution to this problem. Please email me asalazar@usac.org
12-16-2016 07:09 PM
You can also do this directly on ISE now (as long as you are running the latest version). There is a feature called "Identity Rewrite" that is located under: Administration > External Identity Sources > AD > Advanced Settings > Scroll all of the way to the bottom.
I hope this helps!
Thank you for rating helpful posts!
12-16-2016 10:01 AM
Just for future reference, we've managed to solve this by adding on the JAMF Casper interface the host/$COMPUTERNAME variable.
I do not know if another provisioning solution would allow for this manipulation...
Hope this helps
12-16-2016 07:11 PM
Good job on resolving your own issue! Also, thank you for taking the time to come back and update the thread! (+5 from me).
You can also do this directly on ISE now (as long as you are running the latest version). There is a feature called "Identity Rewrite" that is located under: Administration > External Identity Sources > AD > Advanced Settings > Scroll all of the way to the bottom.
Now, if your issue is resolved, you should mark the thread as "answered" ;)
Thank you for rating helpful posts!
04-05-2022 02:03 PM
if you where using this payload as a custom payload in intune ( since AD certs are not yet supported only SCEP )
I create the payload in profilemanager and then upload it to intune as custom,
There is field would be host/{{devicename}}
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: