topic Re: ISE - Machine Authentication vs Machine Access Restrictions in Network Access Control

ISE - Machine Authentication vs Machine Access Restrictions

DarylBrooks — Fri, 21 Feb 2020 18:32:41 GMT

Hello all.

My organisation has recently implemented Cisco ISE and we have come up against an issue.

The issue relates to the Machine Access Restrictions option within Advanced Authentication Settings, whereby users must reboot their machines in order to gain access to the network when they switch from Wired to Wireless. From this Cisco article I can see that with MAR enabled there is no way around this issue.

My question is, what is the difference between Machine Authentication and MAR, is Machine Authentication (via certificate on client machine) still required even if MAR is turned off, or is MAR a requirement for client certificate authentication.

Apologies if this has been answered before, if it has please point me in the direction of any documentation.

Thanks,

Daryl

Re: ISE - Machine Authentication vs Machine Access Restrictions

Rob Ingram — Tue, 22 Aug 2017 16:00:10 GMT

Hi Daryl,

MAR = machine authenticated and user authenticated. As in both must succeed in order to be permitted access. There are a number of cons to this, which the article you referenced describes. MAR is basically restricting an authenticated user to connect only if the machine was authenticated.

Machine Authentication on it's own, is independent from a user authentication. 1 does not necessarily have to succeed for the other to succeed. You can configure windows to only use computer authentication or only user authentication. Though you may want to do both in order to process machine and user AD group policies. If you do want to do both, then these will be seperate authentications.

No, MAR is not a requirement for client certificate authentication.

If you use AnyConnect NAM as the supplicant instead of the windows native supplicant you can do EAP Chaining which combines both machine and user authenticaton, but also resolves some of the issues around MAR.

HTH

Re: ISE - Machine Authentication vs Machine Access Restrictions

DarylBrooks — Wed, 23 Aug 2017 09:07:16 GMT

Thank you for your response, forgive me if I am asking a silly question, but is it possible to force BOTH user and machine authentication without using MAR?

In theory, it might be overkill as client machines with the certificate installed will only be accessible by domain users, but if this is possible it would be nice to have the extra layer of
network security on top of domain security.

Thanks,
Daryl

Re: ISE - Machine Authentication vs Machine Access Restrictions

Rob Ingram — Wed, 23 Aug 2017 12:59:26 GMT

Hi Daryl,

Yes, I assume you will use windows group policies to push down the configuration to the computers? If so, then under Computer Configuration > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies - specify Authentication Mode as "User or computer authentication". This will therefore authenticate the user and computer.

HTH

Re: ISE - Machine Authentication vs Machine Access Restrictions

ajc — Wed, 23 Aug 2017 19:40:26 GMT

the following video applies to 1.4 or 2.x ISE version if you want machine and user authentication NO MAR.

https://www.youtube.com/watch?v=bjH99xKepLY

Re: ISE - Machine Authentication vs Machine Access Restrictions

fatalXerror — Thu, 04 Apr 2019 16:58:33 GMT

Hi @Rob Ingram,

Based on my understanding with your statement, if I configured my Windows supplicant into a computer-only authentication, I can transfer connection (wired to wireless) without rebooting the machine, am I correct?

Thanks

Re: ISE - Machine Authentication vs Machine Access Restrictions

Rob Ingram — Thu, 04 Apr 2019 19:23:21 GMT

Hi,
Correct. Rebooting of the computer would only be required if using MAR (computer and user authentication), as the computer authentication would be tied to the mac address of either the wired or wireless nic. So moving from wired to wireless or vice versa would cause an issue with MAR.

HTH

Re: ISE - Machine Authentication vs Machine Access Restrictions

fatalXerror — Fri, 05 Apr 2019 10:19:27 GMT

Hi @Rob Ingram ,

Thanks for the clarification.

If I only use machine authentication, can I still see who is the user who logs into that authenticated machine if I dig down the RADIUS Live Logs?

Thanks

Re: ISE - Machine Authentication vs Machine Access Restrictions

Rob Ingram — Fri, 05 Apr 2019 10:28:53 GMT

No, if you are only performing machine authentication, only the machine account will be in the logs.

Re: ISE - Machine Authentication vs Machine Access Restrictions

fatalXerror — Sat, 06 Apr 2019 14:39:53 GMT

Hi @Rob Ingram, just to clarify about the reboot matter.

Reboot or logging-off the machine will be no need if I am just using machine authentication setting my windows supplicant to "computer only" as its authentication method, am I correct?

Thanks

Re: ISE - Machine Authentication vs Machine Access Restrictions

fatalXerror — Sat, 06 Apr 2019 14:42:21 GMT

@Rob Ingram

just to clarify about the reboot matter.

Reboot or logging-off the machine will be no need if I am just using machine authentication setting my windows supplicant to "computer only" as its authentication method, am I correct?

Thanks

Re: ISE - Machine Authentication vs Machine Access Restrictions

Rob Ingram — Sat, 06 Apr 2019 16:20:29 GMT

Correct