Solved: Cisco ISE and MacBook

BruceR214 · ‎04-26-2024

Hi

I am looking for pointers from the community as I have very little experience with Macbooks. We have previously only dealt with Windows clients and they happily authenticate as a device using EAP-TLS to AD over wired and wireless. In our experience, Macbooks do not play well with AD so I am looking for an alternative solution.

I would like to get the Macbook to authenticate to Cisco ISE itself, but I also have the problem that we use Ruckus WiFi which cannot do URL redirect. So the usual solutions become hard to implement as they all seem to need a workflow involving URL-redirect.

Is there a simple way to get the Macbook registered with Cisco ISE so that it can authenticate as a device ? I do not mind a manual process as we only have a few Macbooks.

Thanks for reading

ahollifield · ‎04-26-2024

It can if you have an AD object created for that. If not then you can choose to rely on the certificate trust itself to validate device ownership. This depends on how secure your PKI environment is, where its exposed, who can enroll a certificate, keys non-exportable etc. This is where InTune comes back into play as well. If you don't have an AD object to check against, you can have ISE check against InTune for the existence of that MacBook as your "second factor" other than the existence of the certificate itself.

It is not. Wireless has no concept of an "open mode". Most of my customers use dedicated, physically protected "build ports" that do not have any authentication commands on them for the sole purpose of provisioning/imaging computers. Some other of my customers use the guest network for provisioning through things like AutoPilot.

View solution in original post

ahollifield · ‎04-26-2024

How are the MacBooks managed? You should have an MDM solution for them. Use said MDM to push certificates to the MacBooks and do EAP-TLS authentication with those certificates to ISE. If you also want Posture/compliance checks, integrate that MDM with ISE.

BruceR214 · ‎04-26-2024

We have them on Intune currently, and we can push SCEP certificates to them.

ahollifield · ‎04-26-2024

Perfect. Use InTune to push a SCEP enrollment profile to them to obtain a certificate from the PKI. Use InTune to configure the wired/wireless on the MacBook to authenticate with EAP-TLS to ISE.

If you want compliance checks as well then integrate InTune with ISE. https://cs.co/ise-berg#Intune

BruceR214 · ‎04-26-2024

OK, sounds good.

I have never used SCEP before, but I can see that the certificate does get to the MacBook.

When the MacBook tries to authenticate, where should ISE check the certificate against. For a Windows PC it checks with the AD Computer object.

Also, is is possible for the MacBook to connect to WiFi before the user login happens ?

ahollifield · ‎04-26-2024

It can if you have an AD object created for that. If not then you can choose to rely on the certificate trust itself to validate device ownership. This depends on how secure your PKI environment is, where its exposed, who can enroll a certificate, keys non-exportable etc. This is where InTune comes back into play as well. If you don't have an AD object to check against, you can have ISE check against InTune for the existence of that MacBook as your "second factor" other than the existence of the certificate itself.

It is not. Wireless has no concept of an "open mode". Most of my customers use dedicated, physically protected "build ports" that do not have any authentication commands on them for the sole purpose of provisioning/imaging computers. Some other of my customers use the guest network for provisioning through things like AutoPilot.

BruceR214 · ‎04-26-2024

Thanks for all this information, I will be trying it out next week.