topic ACS 5.3 MAR Timeout with Windows XP in Network Access Control

ACS 5.3 MAR Timeout with Windows XP

chris.mccormick — Mon, 11 Mar 2019 02:31:36 GMT

All, here is my current setup: Windows XP machines authenticating wireless using 802.1X to a Cisco ACS 5.3 that redirects the request to Microsoft Active Directory. All the statements that I make below are what I have gathered from reading on forums, some of them might be incorrect.

In the ACS Under “External Identity Stores” and “Active Directory”, there is a check box called “Enable Machine Access Restrictions” if it is checked and the Aging time is set to 8 hours and a Windows XP machine authenticates using it’s Domain credentials it will gain access to the network but if that computer is not rebooted after the 8 hours is up, Windows XP will not send it machine credentials again, it will only send the user/pass of the user and will loose access to the network. The problem we have is that most of the users do not shutdown their computers when they go home, they hibernate the computers thus when they come back to the school the 8 hours aging time on the ACS has expired. The ACS expects to see the Windows XP machine send it’s domain credentials again but from every forum I have read on, Windows XP will not send it again until it get rebooted (FYI, Windows 7 will send the proper info, thus they work just fine). In the mean time I have changed the aging time to 8760 hours but this should only be temporary because it is a security risk to have the aging time set so high. Moving forward what are my options to make this work properly?

-Is there a way to fix Windows XP?

-Is there a recommendation on how to bypass this issue but still give us decent security?

-Is setting the aging time so high, a non security issue?

-I guess worst case scenario, the customer can try to educate all the students and staff to reboot their machines every morning?

Thoughts ideas?

Thanks,

ACS 5.3 MAR Timeout with Windows XP

Tarik Admani — Mon, 10 Sep 2012 22:45:29 GMT

Chris,

Hi your issue seems to be one that is common when enforcing MAR on XP clients. The best solution for you is to use anyconnect NAM as your supplicant. It is free and unlicensed if you have Cisco product tied to you ccoid. Which in this case will be ACS. You can use the NAM profile editor to set the authenticating network for (peap or tls) and choose it to perform computer and machine authentication. From my experience working with NAM is that it will send the computer authenticate and user authentication information over when associating to the SSID.

Also there is a new feature in Anyconnect NAM called Eap-chaining, you can set the order on if you prefer computer authentication followed by user authentication, this is however supported by ISE 1.1.1 (MR), however ACS is due for a version update soon and I have a feeling that this may also be a feature added to the ACS line, but I can't confirm for sure.

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS 5.3 MAR Timeout with Windows XP

chris.mccormick — Wed, 12 Sep 2012 20:44:45 GMT

Thank you Tarik, I am working with my customer next week to test the anyconnect NAM, once I get the results I will reply back..

Thanks,

ACS 5.3 MAR Timeout with Windows XP

vincentbelliard — Thu, 25 Oct 2012 08:44:10 GMT

Chris,

I have the exact same problem on my network. I use AnyConnect on my XP computer but still the problem remains.

Did you find a solution to this problem?

Thanks,

Simon

ACS 5.3 MAR Timeout with Windows XP

chris.mccormick — Thu, 25 Oct 2012 14:17:46 GMT

Simon, I was able to get the XP computer working by setting up a profile to authenticte "Machine Auth" only, when I tried to authenticate both machine and user it fails. At this point I am sticking with machine only.

Thanks,