topic Thanks for your reply, Sandy; in Network Access Control

ISE MAR cache

tgrundbacher — Mon, 11 Mar 2019 04:43:11 GMT

Does anybody know what's going to happen if one changes the MAR cache timeout/aging setting found under Identity Management > External Identity Sources > Active Directory > Advanced Settings? Are the current cache entries going to get cleared or are they going to stay? Is there a way to actually see these entries somewhere (per PSN), and can one selectively delete them?

Depending on the answer to these questions, I have to make the aging timeout change during a maintenance window on the customer's infrastructure. Using ISE 1.2, patch 6.

Oh, and another question: Are there any drawbacks (e.g. cache size or security issues, other constraints) that would suggest to not increase the default aging timeout to a value of a full week or even more?

Thanks

Toni

Hi Toni,Machine Access

SANTHOSHKUMAR SARAVANAN — Wed, 14 May 2014 12:32:16 GMT

Hi Toni,

Machine Access Restriction for Active Directory User Authorization

Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.

Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the “Time to Live” parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.

When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:

If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_authz_polprfls.html

HTH

Sandy

Thanks for your reply, Sandy;

tgrundbacher — Wed, 14 May 2014 12:42:37 GMT

Thanks for your reply, Sandy; unfortunately, it doesn't answer any of my questions.

Hi , If i understand your

SANTHOSHKUMAR SARAVANAN — Wed, 14 May 2014 12:51:18 GMT

Hi ,

If i understand your request , your questionnaire is about MAR cache time out during your maintenance window right ?? or You look for some other things

MAR cache timeout/aging setting found under

HTH

Sandy

Are the current cache entries

tgrundbacher — Wed, 14 May 2014 12:59:13 GMT

Are the current cache entries going to get cleared or are they going to stay?
Is there a way to actually see these entries somewhere (per PSN), and can one selectively delete them?
Are there any drawbacks (e.g. cache size or security issues, other constraints) that would suggest to not increase the default aging timeout to a value of a full week or even more?

Hi Are the current cache

SANTHOSHKUMAR SARAVANAN — Wed, 14 May 2014 14:45:16 GMT

Are the current cache entries going to get cleared or are they going to stay? : Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the “Time to Live” parameter in the Active Directory Settings page expires
Is there a way to actually see these entries somewhere (per PSN), and can one selectively delete them? yes you can see in logs
CacheTracker
ise-tracking.log

See under Downloading Debug Logs

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_mnt.html

Are there any drawbacks (e.g. cache size or security issues, other constraints) that would suggest to not increase the default aging timeout to a value of a full week or even more? For Pro & Cons go through below document
http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

HTH

Sandy

Thanks for your input, Sandy

tgrundbacher — Wed, 14 May 2014 15:06:42 GMT

Thanks for your input, Sandy.

The Cisco documentation still doesn't state what happens to the entries in the cache when you MODIFY the MAR aging timeout during operation. I'm well aware what happens if you LEAVE the timer as it is. Up to this point we can only speculate that the entries will stay, but I have to be sure before I go ahead.
It's good to know that there is a log for the cache tracker, thanks.
Reading the last link won't let me think that increasing the MAR cache aging timer will degrade performance, security or functionality in any way, so...I guess I can only find out if that's true if I try it out.