topic Re: MAR cache entry is purged on ISE in Network Access Control

MAR cache entry is purged on ISE

Anthony O'Reilly — Wed, 03 Nov 2021 11:29:17 GMT

ISE 3.0

What’s happens to connected client if MAR cache entry is purged on ISE and they get a radius session timeout / reauth request while connected?

Our MAR cache setting is 18hours, if someone is logged in for 19hours, will they get disconnected and will the machine re-authenticate?

Re: MAR cache entry is purged on ISE

Greg Gibbs — Wed, 03 Nov 2021 21:56:00 GMT

If a reauth happens and the user is logged in, the native supplicant will not reauth the machine session if you're using EAP methods like EAP-TLS or PEAP. This is one of the many issues inherent in MAR and why using MAR should be avoided unless absolutely necessary. I've had many customers that used MAR only to quickly get rid of it due to increased calls to the helpdesk.

See Machine Access Restriction Pros and Cons for other issues that MAR can cause.

The only efficient way of tying a computer and user session together using the Windows native supplicant is by using TEAP.

Re: MAR cache entry is purged on ISE

marco.merlo — Tue, 20 Dec 2022 10:31:38 GMT

Hi Greg,

we are going to migrate our 2.4 deployment to a new 3.1 one. Unfortunately we have to rely on mar and mar cache distribution. I remember that in 2.4 there was an issue about mar cache distribution not actually enabled in spite of the configuration saved by GUI. It seems that the issue is present in iSE 3.1 as well. We have 4 PSN and two PSN Groups , let's say group A and group B, both with mar cache distribution enabled. We performed some tests and everything seems to work in group A but not in group B. I tried to delete and recreate group B and assign back the node with not fortune. The most frustating thing with mar is the lack of documentation for trouble shooting and the lack of cache inspection. During 2.4 deployment setup I was able to find the right debug log to enable but I can't remember whchi was. Could you please give me some hint to trouble shot mar cache distribution issues working on ise logs?
Regards
M

Re: MAR cache entry is purged on ISE

ahollifield — Tue, 20 Dec 2022 13:13:33 GMT

Why do you need MAR at all? Personally I think an upgrade from 2.4 to 3.1 would be a perfect time to migrate off of MAR.

Re: MAR cache entry is purged on ISE

marco.merlo — Tue, 20 Dec 2022 13:18:38 GMT

Unfortunately we can't.

We do not use anyconnect as supplicant and windows native supplicant seems not to support T-EAP on active directory joined machine....

Regards

Re: MAR cache entry is purged on ISE

ahollifield — Tue, 20 Dec 2022 13:30:41 GMT

TEAP certainly works on domain joined machines.

Re: MAR cache entry is purged on ISE

marco.merlo — Tue, 20 Dec 2022 13:54:14 GMT

Thanks,

I'll ask again the guys in charge of GPOs administration since they showed me that TEAP is not listed between EAP methods one can configure by GPO, nor looking directly to a joined PC 802.1x configuration tab on NIC properties. I read some thing about exporting an xml profile from a not joined PC on witch TEAP has been configured and the import in the tool they use to build GPO but I am afraid there would be some issue with microsoft support.

Regards

Re: MAR cache entry is purged on ISE

Greg Gibbs — Tue, 20 Dec 2022 21:18:08 GMT

It is not a matter of support my Microsoft, it's more a matter that MS has not updated the GPO model in quite some time so TEAP is not an option directly in the GPO. TEAP is supported by the Windows native supplicant from Windows build 2004 and options for configuring the supplicant (including using XML or the RSAT tool) are discussed here:
https://community.cisco.com/t5/security-knowledge-base/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

Re: MAR cache entry is purged on ISE

marco.merlo — Wed, 21 Dec 2022 08:22:49 GMT

Thanks Greb this is the post I read.

I'd like to introduce TEAP but using MSCHAPv2 as "inner" method do you thing is possible?

Since this new method will impact more than 10k client and I have to convince the staff in charge of GPO management to add the new policy I estimate not less than 6 months during which we have to keep on leveraging on MAR.

Do you have some tips to DEBUG mar cache issues?

Regards