Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1878
Views
0
Helpful
3
Replies

Documentation - Cisco ISE MAR implementation

Go to solution
Giovanni Di Venuta
Cisco Employee
Cisco Employee

‎01-14-2020 01:28 PM

Dear All,

 

can someone please point me  a documentation (slides/video/workd) to describe guidelines to implement MAR (

Machine + User Auth) on windows platform ?

 

Thanks

Giovanni

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-15-2020 02:45 PM

Hi Giovanni,

MAR is not a configuration in the supplicant, but rather an attempt by the RADIUS server to cache the machine credential and tie that to the user credential for the same MAC address. The only configuration in the Windows supplicant would be to ensure the 802.1x authentication mode is configured for 'User or computer authentication'

 

That said, MAR has various known issues is not recommended.

I know of many customers that quickly moved away from using MAR as these known issues were causing multiple user experience complaints.

The best option currently available would be to use Cisco AnyConnect NAM and EAP-Chaining.

ISE 2.7 does support EAP-TEAP, but Microsoft has not yet released support for TEAP in the Windows supplicant.

 

Cheers,

Greg

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-15-2020 02:45 PM

Hi Giovanni,

MAR is not a configuration in the supplicant, but rather an attempt by the RADIUS server to cache the machine credential and tie that to the user credential for the same MAC address. The only configuration in the Windows supplicant would be to ensure the 802.1x authentication mode is configured for 'User or computer authentication'

 

That said, MAR has various known issues is not recommended.

I know of many customers that quickly moved away from using MAR as these known issues were causing multiple user experience complaints.

The best option currently available would be to use Cisco AnyConnect NAM and EAP-Chaining.

ISE 2.7 does support EAP-TEAP, but Microsoft has not yet released support for TEAP in the Windows supplicant.

 

Cheers,

Greg

0 Helpful

Go to solution
Giovanni Di Venuta
Cisco Employee
Cisco Employee
In response to Greg Gibbs

‎01-16-2020 08:04 AM

what is the benefit to use AC NAM vs native supplicant ?

Thanks
Giovanni
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Giovanni Di Venuta

‎01-16-2020 12:43 PM

In short, the Windows native supplicant currently only supports EAP types that can send one credential at a time, whereas AC NAM supports EAP-FASTv2 with EAP-Chaining that enables sending both the machine and user credentials in the same message.

Take a look at this article written by one of the Cisco Technical Marketing Engineers.

Machine Authentication and User Authentication 

 

Cheers,

Greg

 

 

0 Helpful
Customers Also Viewed These Support Documents