Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Mac OS authentication to NAC OOB VGW 4.7.2

I realize that the Mac's in our OOB VGW environment can't do SSO like the Window's machines. Since I don't want to get into the business of managing a lot of userid's and passwords I've been trying to come up with alternatives.

The first one that comes to mind is a "group" ID and password in the local DB that the Mac users can use. Simple but from a security standpoint not a good idea.

The second thought is to create a second authentication server where Mac users could point to when the login screen pops up.

Are there any caveats to using the second auth server? Is there any chance it cold cause problems with SSO?

Thanks!

Bob

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Mac OS authentication to NAC OOB VGW 4.7.2

Robert,

You can use either a MAC user page, or just set LDAP on your default page. This way if any of your Windows machine fails authentication too for any reason, they will have the option to use LDAP to log in. Either should work just fine.

Same username for LDAP setup would work fine too.

HTH,

Faisal

10 REPLIES

Re: Mac OS authentication to NAC OOB VGW 4.7.2

Bob,

Second auth server's the way to go. Make it LDAP, so they'll just have to re-use their AD credentials.

It wouldn't cause any issues with your existing AD SSO.

HTH,

Faisal

New Member

Re: Mac OS authentication to NAC OOB VGW 4.7.2

Thanks Faisal!

Since our LDAP auth servers are the same as our AD or at least a subset of the AD servers we were going to use the same User Name that we use for AD-SSO. Is that OK or do we need to use something entirely different.

I have  a followup question - working on the premise that I have the LDAP authentication working how do I actually direct the Mac users to the LDAP authentication? (They are using the Mac Agent.)

The way that seems to make the most sense tome is to a User Login Page that is specific to the Mac OS. (I have configured the login page and enabled it so I guess we'll see.)

Re: Mac OS authentication to NAC OOB VGW 4.7.2

Robert,

You can use either a MAC user page, or just set LDAP on your default page. This way if any of your Windows machine fails authentication too for any reason, they will have the option to use LDAP to log in. Either should work just fine.

Same username for LDAP setup would work fine too.

HTH,

Faisal

New Member

Re: Mac OS authentication to NAC OOB VGW 4.7.2

Once again, Thank You.

I have created a MAC_ALL login page and am testing.

New Member

Re: Mac OS authentication to NAC OOB VGW 4.7.2

Faisal,

I attempted to point to a User Login page for Macintosh and the login failed. They are using the Mac Agent for Ver 4.7.2 but when they connect they don't get the Mac logion page they get the default OS "All" page.

I have attached the screen scrapes of the MAC login page.

Is there a way to specifically point the Mac devices to the page? I was working on the impression that NAC should recognize the OS and point them to it. (I must be missing a step!)

Re: Mac OS authentication to NAC OOB VGW 4.7.2

Rob,

What's the order of the user pages? Can you post a screenshot of that? If ALL is above MAC_ALL, then the MAC will hit that first and not look further.

HTH,

Faisal

New Member

Re: Mac OS authentication to NAC OOB VGW 4.7.2

Faisal,

I did have the MAC_ALL at the top. I have since altered ALL to also behave differently, that is I added the LDAP server for authentication and made the LDAP server the default provider.

The only screen that pops up is the generic default screen (see attached) that is seen when a user's Window PC is redirected to the CAS after opening a HTTP session.

I must be missing something really basic. What control's the login screen that is seen by a user when they are using an installed agent (corporate device) or a Web Agents (Contractor's device)? The user's page Login Page implies it is OS as in the case of MAC_ALL.

Re: Mac OS authentication to NAC OOB VGW 4.7.2

Rob,

Please post the content tab from your mac_all page

Faisal

New Member

Re: Mac OS authentication to NAC OOB VGW 4.7.2

Oops! Sorry - I thought I did already.

Here it is.

420
Views
0
Helpful
10
Replies