topic Hi Tarik, in Network Access Control

Cisco ISE Machine Access Restrictions MAR

Nicholas Poole — Tue, 26 Mar 2019 00:29:12 GMT

I want to test out MAR. I notice there is a tick box on the ISE for MAR under: Identity Management --> External Identity Sources --> Active Directory --> Advanced Settings --> [tick] Enable Machine Access Restrictions

but also there is this condition that is to be used in the AuthZ Policy

Network Access:WasMachineAuthenticated

So...

What does the tick box option do?

Are they related or refer to different things?

Are both needed to get a MAR AuthZ to work?

Any of clarifying or beneficial info?

thanks

Cisco ISE Machine Access Restrictions MAR

Tarik Admani — Tue, 21 Aug 2012 15:30:14 GMT

Hi,

Your are correct you will have to create an authorization condition that checks if the machine authenticated successfully.

So...

What does the tick box option do?

When you enable MAR globally it lets the ISE know to build a cache for endpoints that successfully perform machine authentication.

Are they related or refer to different things?

They work hand in hand.

Are both needed to get a MAR AuthZ to work?

Yes, you will have to create another authorization policy to allow domain computers to connect.

Any of clarifying or beneficial info?

When MAR is enabled, you will have to enable machine and user authentication to your laptop, after MAR succeeds ISE builds an entry in its database mapping the endpoint (mac address) to a successful machine authentication, after when a user authenticates not only do they have to provide the correct credentials but the mac address they are authenticating through will have an entry in the "MAR cache", keep in mind that some supplicants only perform machine authentication when logging on and off, and on boot up. If you want to use MAR i suggest using the Anyconnect NAM client, there is a new feature in ISE 1.1.1 and the latest client that allows you to perform eap chaining.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tariq,MAR is anebled in my

Sherief Ahmed — Wed, 21 Oct 2015 14:17:23 GMT

Hi Tariq,

MAR is anebled in my configuration, Please informed that i just authenticate machine against domain membership and authenticate users with domain username and password.

Is domain membership for machines consider authentication and work with MAR?

Sherif

Hi Tarik,

Pranav Gade — Tue, 10 Nov 2015 17:47:33 GMT

Hi Tarik,

We are running with ISE 1.4.1 with PEAP (Machine + User ) Authentication with multi domain. This works as expected first domain auth then user auth but if we connects non domain laptop with 802.1x service enable still it’s getting access to network.

can you guide me how we can restrict this scenario?

Thanks in advance