Re: Macintosh clients, 802.1x and NAC.

andrew.brazier · ‎06-26-2007

I'm prototyping a NAC setup which has to cater for Macintosh clients as well as Windows. I can get the Macs to authenticate via 802.1x (surprisingly easy using the built in software!) but what I can't do is setup a Posture Validation Rule to identify that the client is a Mac and not a Windows machine. I've tried using the Cisco:PA:OS-Version condition set specifying "contains" MAC. I've also tried "contains" 10 but it doesn't work. I think it probably doesn't work as the condition set depends on the CTA being installed on the Mac which it isn't (and it's not an option either).

EDIT: Anyone tried installing the CTA on a MAC? It's horrific. Extract the files and run the install, OK so far. It then puts the config ini file in a directory no user (not even Admins) has permissions to so you can't modify it and BOY do you need to modify it!

Any ideas?

drolemc · ‎07-03-2007

CTA installations on Mac OS X contain a vulnerability that can allow an unauthorized user to access the "System Preferences" window which can be used to change passwords of all non-root user accounts, including admin accounts.

http://www.cisco.com/en/US/products/products_security_response09186a008085d645.html

andrew.brazier · ‎07-03-2007

Thanks for the tip! At the moment that's the least of my worries though, getting the thing to work is the first priority : ) I've got a TAC case open at present...

andrew.brazier · ‎07-09-2007

Just in case anyone is following this thread, things have moved on a little. Apparently you can install the Cisco CTA and use the MAC's built in 802.1x supplicant which is good news for me.

What is still a problem is the mess the CTA install makes of permissions, it creates a user and a group and gives them (only) permissions to the files. You can hack your MAC to make your regular Admin a user of the group but WHY SHOULD YOU HAVE TO DO THIS!!! This allows you to edit the ini file to actually make the CTA work, what it doesn't let you do is run the ctastat diag tool and boy would I like to run this tool! I am unable to get the CTA on the MAC to talk to the ACS server and have no idea why and without the ctastat output I'm driving blind.

My TAC case is progressing slowly but they haven't come up with anything significant, almost everything I've discovered so far I've found out for myself.

Watch this space for developments.

Anyone from Cisco care to jump in here?

andrew.brazier · ‎07-13-2007

I'm on the home straight with this one. Essentially to get the CTA to work using the built in 802.1x supplicant on Windows or MacOS you need to run a mix of NAC L2 IP and NAC L2 802.1x. This requires a little extra config on the switch but nothing tragic (it's all in the (NAC Framework Configuration Guide).

The reason for this is that the CTA requires a network channel to be open so it can run EAP over UDP (EOU) to do posture validation and the 802.1x part of the process gets the machine onto the network so the CTA can do it's stuff.

With this setup in place and the CTA properly configured (as mentioned previously this is the permissions setup on the Mac created by the CTA install makes this far more difficult than it should be) the process works pretty well, popup messages work, browser launch and URL redirection work. Looks good.

The fly in the ointment is wireless. The freebie CTA doesn't support it, no way. For a PC the answer is to buy the Cisco Secure Services Client which does support wireless and (I think) run that alongside the CTA (haven't fully worked this one out yet). If you have a wireless Mac, you're stuffed, Simple as that, which from my point of view is a real pain as the customer I'm developing this for wants posture validation for PCs and Macs, wired and wireless.

Hope this helps someone somewhere avoid a little pain! : )