topic Re: Documentation - Cisco ISE MAR implementation in Network Access Control

Documentation - Cisco ISE MAR implementation

Giovanni Di Venuta — Tue, 14 Jan 2020 21:28:44 GMT

Dear All,

can someone please point me a documentation (slides/video/workd) to describe guidelines to implement MAR (

Machine + User Auth) on windows platform ?

Thanks

Giovanni

Re: Documentation - Cisco ISE MAR implementation

Greg Gibbs — Wed, 15 Jan 2020 22:45:18 GMT

Hi Giovanni,

MAR is not a configuration in the supplicant, but rather an attempt by the RADIUS server to cache the machine credential and tie that to the user credential for the same MAC address. The only configuration in the Windows supplicant would be to ensure the 802.1x authentication mode is configured for 'User or computer authentication'

That said, MAR has various known issues is not recommended.

I know of many customers that quickly moved away from using MAR as these known issues were causing multiple user experience complaints.

The best option currently available would be to use Cisco AnyConnect NAM and EAP-Chaining.

ISE 2.7 does support EAP-TEAP, but Microsoft has not yet released support for TEAP in the Windows supplicant.

Cheers,

Greg

Re: Documentation - Cisco ISE MAR implementation

Giovanni Di Venuta — Thu, 16 Jan 2020 16:04:58 GMT

what is the benefit to use AC NAM vs native supplicant ?

Thanks
Giovanni

Re: Documentation - Cisco ISE MAR implementation

Greg Gibbs — Thu, 16 Jan 2020 20:43:19 GMT

In short, the Windows native supplicant currently only supports EAP types that can send one credential at a time, whereas AC NAM supports EAP-FASTv2 with EAP-Chaining that enables sending both the machine and user credentials in the same message.

Take a look at this article written by one of the Cisco Technical Marketing Engineers.

Machine Authentication and User Authentication

Cheers,

Greg