https://community.cisco.com/t5/network-access-control/acs-5-x-mar-feature-problem/m-p/2096109#M183887 <HTML><HEAD></HEAD><BODY><P>Hello Djordje-</P><P></P><P>MAR only occurs when the machine first boots up. During boot time the machine sends its credentials to ACS and ACS retains them based on the MAR timer that you have set. Try rebooting the machine and see if that error message goes away. </P><P></P><P><EM>Thanks you for rating!</EM></P></BODY></HTML> Mon, 24 Dec 2012 23:22:59 GMT nspasov 2012-12-24T23:22:59Z https://community.cisco.com/t5/network-access-control/acs-5-x-mar-feature-problem/m-p/2096108#M183879 <P>Hello everyone,</P><P></P><P>I am testing MAR(Machine Access Restriction) feature upon client request. I got it working, when user that joins ACS to Active Directory is member of Domain Admin group.</P><P>Now, when In follow ACS config guide and set user rights to&nbsp; "Add workstations to domain user right in corresponding domain"</P><P>MAR is not working.</P><P> In Radius log I see error:</P><P><STRONG>24423&nbsp; ACS has not been able to confirm previous successful machine authentication for user in Active Directory</STRONG></P><P></P><P></P><P>Has anyone tried this, and what level of user rights is needed for MAR to work in your implementation ?</P><P></P><P>Thank you,</P><P>Djordje Zecevic </P> Mon, 11 Mar 2019 02:54:53 GMT https://community.cisco.com/t5/network-access-control/acs-5-x-mar-feature-problem/m-p/2096108#M183879 Djordje Zecevic 2019-03-11T02:54:53Z https://community.cisco.com/t5/network-access-control/acs-5-x-mar-feature-problem/m-p/2096109#M183887 <HTML><HEAD></HEAD><BODY><P>Hello Djordje-</P><P></P><P>MAR only occurs when the machine first boots up. During boot time the machine sends its credentials to ACS and ACS retains them based on the MAR timer that you have set. Try rebooting the machine and see if that error message goes away. </P><P></P><P><EM>Thanks you for rating!</EM></P></BODY></HTML> Mon, 24 Dec 2012 23:22:59 GMT https://community.cisco.com/t5/network-access-control/acs-5-x-mar-feature-problem/m-p/2096109#M183887 nspasov 2012-12-24T23:22:59Z https://community.cisco.com/t5/network-access-control/acs-5-x-mar-feature-problem/m-p/2096110#M183897 <HTML><HEAD></HEAD><BODY><P>Hello Neno,</P><P></P><P>You pointed me in right direction. Results that I describe earlier are MAR cache induced. I have working config:</P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/3/2/1/125123-acs.PNG" class="jive-image" /></P><P>Where first rule is match when computer is booting up(alternatively I could match AD computer group). When computer is boot rules puts him on restricted vlan 131 from where user can be authenticated.</P><P></P><P>After user log on to computer, he is re-authenticated and assigned vlan 132 which is unrestricted.</P><P></P><P>Alternatively I could add default rule to put users in guest vlan.</P><P></P><P>Regards,</P><P>Djordje</P></BODY></HTML> Tue, 15 Jan 2013 15:19:30 GMT https://community.cisco.com/t5/network-access-control/acs-5-x-mar-feature-problem/m-p/2096110#M183897 Djordje Zecevic 2013-01-15T15:19:30Z https://community.cisco.com/t5/network-access-control/acs-5-x-mar-feature-problem/m-p/2096111#M183915 <HTML><HEAD></HEAD><BODY><P>Hello <SPAN style="font-size: 10pt;">Djordje</SPAN></P><P>-</P><P></P><P>I am glad I was able to point you in the right direction! </P><P></P><P>I don't know what your requirements are but if the rules that you described worked then great <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> Also, you can combine both rules where MAR and domain user credentials are checked. If you end up doing this I would recommend that you set the MAR timer to at least 168 hours (one week) that way users don't have to reboot their computers through a working week. </P><P></P><P><EM>If your quesion is resolved please mark the thread as "answered"</EM></P></BODY></HTML> Tue, 15 Jan 2013 16:40:13 GMT https://community.cisco.com/t5/network-access-control/acs-5-x-mar-feature-problem/m-p/2096111#M183915 nspasov 2013-01-15T16:40:13Z