topic Just to let you know, we in Network Access Control

Cisco ISE MAR Cache

JAMES WEST — Mon, 11 Mar 2019 07:55:30 GMT

Hello All.

I am looking at deploying 802.1x being authenticated against ISE, and l have the following 2 questions:

Can ISE authenticate both Wired & Wireless windows machine, without using AnyConnect? Or is it a case that ISE autenticates the Wired Machine Auth, and if the user then moves onto their Wireless adaptor, this will not be in the MAR cache, so the machine is not authenticated and wireless does not work.
How do you determine what Machines/Devices are in the MAR cache?

Thanks,

James

Hi James,

Rob Ingram — Thu, 10 Aug 2017 18:00:09 GMT

Hi James,

Yes, ISE can authenticate windows machine, when connected to a wired or wireless network. Specify this in the Windows AD GPO when using native windows supplicant.

I've not used MAR, but you are correct. A wired and wireless machine authentication are classed as 2 seperate authentications (different adapter mac addresses), thus causing an issue when you want to chain machine + user authentications. Only EAP Chaining which requires AnyConnec, this can properly combine machine + user authentications and not break when the laptop moves from being connected to a wifi network then connected to a wired network.

HTH

Hi Rob,

JAMES WEST — Fri, 11 Aug 2017 08:04:17 GMT

Hi Rob,

Thanks for your response and clarifying what l thought may be the case.

Thanks,

James

Following on from Rob's help

JAMES WEST — Fri, 11 Aug 2017 08:29:44 GMT

Following on from Rob's help above, if we wanted to implement the following would this allow wired & wireless authentication:

I believe the "username" for machines when using PEAP is something like this "host/FQDN..." Thus, you could probably use a rule that states if the RADIUS username "contains" either your domain or a pattern used by machines on your domain.

However, the easiest way to distinguish between domain joined and non-domain joined is the have ISE check with AD. Thus, your rule can have something like this:

1. If "external group" = "domain computers"

2. If "identity access restricted" = "false"

3. Then "full access"

This will ensure that the computer that is trying to authenticate and authorize on the network is actually joined to the domain. One thing you will need to make sure that your AD is locked down because I think by default any domain users can join up to 10 workstations to the domain.

The AD Probe will also be

Rob Ingram — Fri, 11 Aug 2017 14:09:33 GMT

The AD Probe will also be able to determine whether a machine is joined to AD.

In addition to Rob's comments

JAMES WEST — Tue, 15 Aug 2017 16:28:06 GMT

In addition to Rob's comments.

Does anyone one know how to find what machines have been added to the MAR Cache? If so, can you let me know.

Thanks,

James

Just to let you know, we

JAMES WEST — Wed, 16 Aug 2017 20:08:25 GMT

Just to let you know, we raised a TAC case to investigate this, as we were troubleshooting Win10 logins. The TAC engineer confirmed there is no way to see what devices are in the MAR Cache, which is a bit of a shame.