Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2446
Views
3
Helpful
14
Replies

On-prem MDM with unknown MAC Address

Go to solution
chbuey
Cisco Employee
Cisco Employee

‎10-20-2017 12:18 PM

Hey All,

I wanted to get some feedback on what's beginning to be a more common scenario, especially with the new release of MacBooks requiring the use of dongles exclusively for wired networks.

Consider this scenario:

  1. New MacBook with only Wifi registers against an MDM server. The MDM server records the MAC address, the serial number, version, etc.
  2. Users takes endpoint to work, performs a wireless authentication, and since the Wifi mac is stored in the MDM server ISE can look up the endpoint and user gets full network access.
  3. User transitions to ethernet, but this requires a dongle. ISE attempts to do the lookup, but since the endpoint was registered without the dongle present, MDM cannot locate this specific endpoint and the endpoints registration/compliance statuses cannot be pulled.

  

At this point, everything appears to be functioning as expected, but there has to be a better solution than forcing endpoints to re-enroll with MDM while their specific dongle is plugged in. Is there a solution or talks in progress to address this specific use cases with Apple (or any) endpoints that require dongles for network access?

I remember facing a similar issue with VPN authentications when Apple/Google started hiding/randomizing the mac address, and as  a result we now the queries with the UDID. But since these are on-prem authentications failing, it's impossible to pull these extra values from a dot1x/mab authentication.

Thanks!

Chad

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Dustin Anderson

‎10-24-2017 01:53 PM

Wow that's a lot of mac addresses for a single JAMF MDM profile to manage. And then you have multiple machines showing the same mac address depending on where the user moves from one to another desk. .

I agree we have no visibility of wireless mac when connecting via wired, there would need to be an agent that translated the MAC address.

A couple other options:

  • Deploy ISE posture Anyconnect System Scan to manage wired compliance.
  • Don't run wired.
  • Require users to have their own dongle so that its unique and stays with them

I asked our SME imbashir to also see if he had any ideas.

There would need to be an enhancement to address without the need for MAC address, please reach out to JAMF and ISE Product Managers

View solution in original post

14 Replies 14

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎10-21-2017 09:03 AM

Hello Chad,

I will be researching on this. Will reply back on this post soon .

Thanks,

Nidhi

0 Helpful

Go to solution
pkinjaram
Level 1
Level 1
In response to Nidhi

‎10-24-2017 08:25 AM

Any update on this?

0 Helpful

Go to solution
Network Engineering
Level 1
Level 1

‎10-21-2017 10:30 AM

I am running into the exact same issue with my deployment.  Macbooks + tunderbolt dongle results in a failed MDM lookup everytime.  We just gave up on wired MDM enforcement.  Pretty sad this was overlooked on the design side.

0 Helpful

Go to solution
pkinjaram
Level 1
Level 1
In response to Network Engineering

‎10-24-2017 08:22 AM

What kind of mac management software are you using in your environment?

0 Helpful

Go to solution
Network Engineering
Level 1
Level 1
In response to pkinjaram

‎10-24-2017 09:27 AM

I'm using Casper Suite (JAMF).  I suspect the original poster is as well as it's the most common Mac management software.

0 Helpful

Go to solution
pkinjaram
Level 1
Level 1
In response to Network Engineering

‎10-24-2017 11:03 AM

We are using Casper as well, Chad from Cisco opened the case based on the TAC case we've opened.

JAMF suggesting us to install Any connect ISE compliance module to resolve the wired deployment issue. Looking further into it.

0 Helpful

Go to solution
Network Engineering
Level 1
Level 1
In response to pkinjaram

‎10-24-2017 11:45 AM

We have the ise-compliance module installed as that is required for posture which is also required in our environment.  The issue we have is not with posture, it's with MDM registration enforcement.  We enforce MDM registration with JAMF for Macbooks on our network.  The way MDM registration enforcement works between ISE and JAMF is that ISE will query JAMF via its API integration for the MAC address of the connecting endpoint.  Modern macbooks don't have wired ports thus every Macbook uses a dongle of some sort to connect.  The Macbook dongles do not exist in MDM resulting in the MDM returning not-registered for the device. 

Our users are highly mobile and do not have static desks or static dongles.  We've had to disable MDM registration enforcement for wired.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Network Engineering

‎10-24-2017 12:01 PM

They don’t even use the same dongle everytime?

Is there a way to pre-register the dongles to the user in JAMF?

0 Helpful

Go to solution
Network Engineering
Level 1
Level 1
In response to Jason Kunst

‎10-24-2017 01:00 PM

Our desks are not permanent desks assigned to users so users float between desks all the time.  The desks themselves have either dongles, or docks.  So, multiple users could use the same dongle or doc throughout the week.  It would be nice if the JAMF query was always done with the WiFi MAC as that is the only consistent MAC address on most Macbooks now since they lack wired ports.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to Network Engineering

‎10-24-2017 01:43 PM

I could see that if you are running some kind of agent, but if not, you can only get the MAC on the network.

Personally, I want them to start using domain certs so I can not care about JAMF.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Dustin Anderson

‎10-24-2017 01:53 PM

Wow that's a lot of mac addresses for a single JAMF MDM profile to manage. And then you have multiple machines showing the same mac address depending on where the user moves from one to another desk. .

I agree we have no visibility of wireless mac when connecting via wired, there would need to be an agent that translated the MAC address.

A couple other options:

  • Deploy ISE posture Anyconnect System Scan to manage wired compliance.
  • Don't run wired.
  • Require users to have their own dongle so that its unique and stays with them

I asked our SME imbashir to also see if he had any ideas.

There would need to be an enhancement to address without the need for MAC address, please reach out to JAMF and ISE Product Managers

Go to solution
Network Engineering
Level 1
Level 1
In response to Jason Kunst

‎10-24-2017 03:18 PM

Our workforce is extremely mobile.  Most users travel internationally between offices on a weekly or monthly basis. 

Deploy ISE posture Anyconnect System Scan to manage wired compliance.

This doesn't address the issue of checking for MDM registration.

Don't run wired.

This is a requirement from the business.

Require users to have their own dongle so that its unique and stays with them

This unfortunately is not how the business is architected and Apple has moved wired ports into the Apple Monitors.  Most large enterprise Apple Macbook environments are using apple monitors that double as docks with ethernet ports.  As users move around their going to be using different Apple monitors and thus different ethernet ports.  When desks don't have Apple monitors, they would then use whatever dongle is available. 

My recommendation would be to have the compliance module when installed, share the UDID with the MDM Registration checking process since ISE, JAMF, and the compliance module know the UDID.

I've spoken with imbashir psd and mschmitz before on addressing some high priority bugs in the past and they have been pretty quick in addressing issues in the past.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Network Engineering

‎10-24-2017 03:44 PM

This will be an enhancement to both ISE and the MDM provider , it’s not a bug like the other gentleman said

I have forwarded it along

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎10-24-2017 12:27 PM

We ran into a similar issue today, but I don't think it's an ISE issue as ISE just asks JAMF if this MAC is compliant and get a compliant, non-compliant, or unknown device response. It seems to be JAMF and having multiple MAC's for a device. The one I saw was a mac, dongle, and dock, so 3 MACs

Customers Also Viewed These Support Documents