ISE 1.4 - Clearing MAR Cache

abhijith891 — Wed, 19 Jun 2019 15:27:54 GMT

Hello All,

We are running ISE 1.4 in our environment. We have a particular user where its showing that the user account is locked when authenticating on ISE against an AD. Have attached a screenshot for reference. I want to clear the cached credentials content of ISE of that particular user. Is there any way we can do it? Any other solution will also be highly appreciated.

Regards.

Re: ISE 1.4 - Clearing MAR Cache

nspasov — Wed, 19 Jun 2019 18:30:39 GMT

Unless this is a defect or a functionality of ISE 1.4, ISE does not cache the AD credentials of the authenticating user. Instead, it simply acts as a "proxy" where it asks the user for credentials then passes those to the external identity source which in turn informs ISE if the authentication failed, succeeded, account is locked, user groups, etc. Thus, the users getting locked out has nothing to do with ISE and it is probably due to users fat-fingering their password which will trigger a lockout based on default dot1x and AD/GPO settings. You can take a look at a similar thread that talks more about this and provides some pointers around tweaking your GPO and ISE settings:

https://community.cisco.com/t5/policy-and-access/ise-ad-account-locked-trying-to-authenticate-on-ssid/td-p/3219076

The MAR cache aging is controlled at Administration > Identity Management > External Identity Sources > AD > Advanced Settings. However, MAR (Machine Access Restriction) is something completely different and is not tied to your AD user. Please see the following link:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

I hope this helps!

Thank you for rating helpful posts!

topic ISE 1.4 - Clearing MAR Cache in Network Access Control

ISE 1.4 - Clearing MAR Cache

Re: ISE 1.4 - Clearing MAR Cache