topic There is no such config for in Network Access Control

Cisco ISE 2.1 MAR Feature

Jay233 — Mon, 11 Mar 2019 07:16:16 GMT

All,

Machine Access Restriction (MAR) Cache Persistency

Cisco ISE stores the MAR cache content, calling-station-ID list, and the corresponding time stamps to a file on its local disk when you manually stop the Cisco ISE application services. Cisco ISE does not store the MAR cache entries of an instance when there is an accidental restart of its application services.

Cisco ISE reads the MAR cache entries from the file on its local disk based on the cache entry time to live when the Cisco ISE application services get restarted. When the application services of a Cisco ISE instance come up after a restart, Cisco ISE compares the current time of that instance with the MAR cache entry time. If the difference between the current time and the MAR entry time is greater than the MAR cache entry time to live, then Cisco ISE does not retrieve that entry from disk. Otherwise, Cisco ISE retrieves that MAR cache entry and updates its MAR cache entry time to live.

Does anyone have any config for this feature and brief explanations of operation, TTL's etc.

Cheers,

There is no such config for

Gagandeep Singh — Tue, 06 Dec 2016 15:00:33 GMT

There is no such config for this feature.

The Policy Service nodes in a distributed deployment do not share their Machine Access Restriction (MAR) cache with each other. If you have enabled the MAR feature in Cisco ISE and the client machine is authenticated by a Policy Service node that fails, then another Policy Service node in the deployment handles the user authentication. However, the user authentication fails because the second Policy Service node does not have the host authentication information in its MAR cache.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#concept_6D26AEAD132A45DB91C51ED0B8890746

Regards

Gagan

rate if it helps!!!

Gagan is correct. The MAR

nspasov — Tue, 06 Dec 2016 18:19:53 GMT

Gagan is correct. The MAR cache share/sync between nodes is currently only available for Cisco ACS. On ISE this feature is still not available. The latest MAR enhancement with version 2.1 is the Persistent MAR Cache where the MAR data is stored on the local disk of each ISE server:

Persistent Machine Access Restriction (MAR) Cache
Cisco ISE stores the MAR cache content, calling-station-ID list, and the corresponding time stamps to a file on its local disk when you manually stop the Cisco ISE application services. Cisco ISE does not store the MAR cache entries of an instance when there is an accidental restart of its application services.
Cisco ISE reads the MAR cache entries from the file on its local disk based on the cache entry time to live when the Cisco ISE application services get restarted. When the run-time services of an Cisco ISE instance come up after a restart, Cisco ISE compares the current time of that instance with the MAR cache entry time. If the difference between the current time and the MAR entry time is greater than the MAR cache entry time to live, then Cisco ISE does not retrieve that entry from disk. Otherwise, Cisco ISE retrieves that MAR cache entry and updates its MAR cache entry time to live.

Also MAR comes with tons of limitations and as a result I always advice against it. A while back we had a good discussion here. Here is the link for it:

https://supportforums.cisco.com/discussion/12735486/machine-access-restrictions-mar

I hope this helps!

Thank you for rating helpful posts!

Re: Gagan is correct. The MAR

Freemen — Fri, 18 Jan 2019 17:28:41 GMT

can we put all ISE in the same node group? so the MAR can be sync? but the ISE PSN is over WAN

Re: Gagan is correct. The MAR

hslai — Sun, 17 Feb 2019 16:47:36 GMT

Potentially yes but not recommended as it may contribute to delays in ISE auth processes.

PS: Please start your own thread and reference an existing one instead of posting to a thread that dormant for months and already answered.