cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

127
Views
0
Helpful
3
Replies
Cisco Employee

Documentation - Cisco ISE MAR implementation

Dear All,

 

can someone please point me  a documentation (slides/video/workd) to describe guidelines to implement MAR (

Machine + User Auth) on windows platform ?

 

Thanks

Giovanni

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Documentation - Cisco ISE MAR implementation

Hi Giovanni,

MAR is not a configuration in the supplicant, but rather an attempt by the RADIUS server to cache the machine credential and tie that to the user credential for the same MAC address. The only configuration in the Windows supplicant would be to ensure the 802.1x authentication mode is configured for 'User or computer authentication'

 

That said, MAR has various known issues is not recommended.

I know of many customers that quickly moved away from using MAR as these known issues were causing multiple user experience complaints.

The best option currently available would be to use Cisco AnyConnect NAM and EAP-Chaining.

ISE 2.7 does support EAP-TEAP, but Microsoft has not yet released support for TEAP in the Windows supplicant.

 

Cheers,

Greg

View solution in original post

3 REPLIES 3
Cisco Employee

Re: Documentation - Cisco ISE MAR implementation

Hi Giovanni,

MAR is not a configuration in the supplicant, but rather an attempt by the RADIUS server to cache the machine credential and tie that to the user credential for the same MAC address. The only configuration in the Windows supplicant would be to ensure the 802.1x authentication mode is configured for 'User or computer authentication'

 

That said, MAR has various known issues is not recommended.

I know of many customers that quickly moved away from using MAR as these known issues were causing multiple user experience complaints.

The best option currently available would be to use Cisco AnyConnect NAM and EAP-Chaining.

ISE 2.7 does support EAP-TEAP, but Microsoft has not yet released support for TEAP in the Windows supplicant.

 

Cheers,

Greg

View solution in original post

Cisco Employee

Re: Documentation - Cisco ISE MAR implementation

what is the benefit to use AC NAM vs native supplicant ?

Thanks
Giovanni
Cisco Employee

Re: Documentation - Cisco ISE MAR implementation

In short, the Windows native supplicant currently only supports EAP types that can send one credential at a time, whereas AC NAM supports EAP-FASTv2 with EAP-Chaining that enables sending both the machine and user credentials in the same message.

Take a look at this article written by one of the Cisco Technical Marketing Engineers.

Machine Authentication and User Authentication 

 

Cheers,

Greg