Solved: apple macosx machine authentication with ISE using EAP-TLS

Gustavo Novais · ‎09-23-2014

Hello,

On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.

With windows machines all is working well. We are using computer authentication only.

Now the problem is that we wish to do the same with MAC OSX machines.

We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.

in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.

When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.

The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.

Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?

Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.

Thanks

Gustavo Novais

nspasov · ‎12-16-2016

You can also do this directly on ISE now (as long as you are running the latest version). There is a feature called "Identity Rewrite" that is located under: Administration > External Identity Sources > AD > Advanced Settings > Scroll all of the way to the bottom.

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

usac · ‎12-16-2016

Did anyone ever find the solution to this problem. Please email me asalazar@usac.org

nspasov · ‎12-16-2016

You can also do this directly on ISE now (as long as you are running the latest version). There is a feature called "Identity Rewrite" that is located under: Administration > External Identity Sources > AD > Advanced Settings > Scroll all of the way to the bottom.

I hope this helps!

Thank you for rating helpful posts!

Gustavo Novais · ‎12-16-2016

Just for future reference, we've managed to solve this by adding on the JAMF Casper interface the host/$COMPUTERNAME variable.

I do not know if another provisioning solution would allow for this manipulation...

Hope this helps

nspasov · ‎12-16-2016

Good job on resolving your own issue! Also, thank you for taking the time to come back and update the thread! (+5 from me).

You can also do this directly on ISE now (as long as you are running the latest version). There is a feature called "Identity Rewrite" that is located under: Administration > External Identity Sources > AD > Advanced Settings > Scroll all of the way to the bottom.

Now, if your issue is resolved, you should mark the thread as "answered" ;)

Thank you for rating helpful posts!

Hafthor Hilmarsson O'Connor · ‎04-05-2022

if you where using this payload as a custom payload in intune ( since AD certs are not yet supported only SCEP )

I create the payload in profilemanager and then upload it to intune as custom,

There is field would be host/{{devicename}}

CCIE-Collaboration #24527