Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1435
Views
0
Helpful
1
Replies

ISE 1.4 - Clearing MAR Cache

Go to solution
abhijith891
Level 1
Level 1

‎06-19-2019 08:27 AM

Hello All,

 

We are running ISE 1.4 in our environment. We have a particular user where its showing that the user account is locked when authenticating on ISE against an AD. Have attached a screenshot for reference. I want to clear the cached credentials content of ISE of that particular user. Is there any way we can do it? Any other solution will also be highly appreciated.

 

Regards.

Preview file
50 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎06-19-2019 11:30 AM

Unless this is a defect or a functionality of ISE 1.4, ISE does not cache the AD credentials of the authenticating user. Instead, it simply acts as a "proxy" where it asks the user for credentials then passes those to the external identity source which in turn informs ISE if the authentication failed, succeeded, account is locked, user groups, etc. Thus, the users getting locked out has nothing to do with ISE and it is probably due to users fat-fingering their password which will trigger a lockout based on default dot1x and AD/GPO settings. You can take a look at a similar thread that talks more about this and provides some pointers around tweaking your GPO and ISE settings:

https://community.cisco.com/t5/policy-and-access/ise-ad-account-locked-trying-to-authenticate-on-ssid/td-p/3219076

 

The MAR cache aging is controlled at Administration > Identity Management > External Identity Sources > AD > Advanced Settings. However, MAR (Machine Access Restriction) is something completely different and is not tied to your AD user. Please see the following link:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

I hope this helps!

Thank you for rating helpful posts!

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎06-19-2019 11:30 AM

Unless this is a defect or a functionality of ISE 1.4, ISE does not cache the AD credentials of the authenticating user. Instead, it simply acts as a "proxy" where it asks the user for credentials then passes those to the external identity source which in turn informs ISE if the authentication failed, succeeded, account is locked, user groups, etc. Thus, the users getting locked out has nothing to do with ISE and it is probably due to users fat-fingering their password which will trigger a lockout based on default dot1x and AD/GPO settings. You can take a look at a similar thread that talks more about this and provides some pointers around tweaking your GPO and ISE settings:

https://community.cisco.com/t5/policy-and-access/ise-ad-account-locked-trying-to-authenticate-on-ssid/td-p/3219076

 

The MAR cache aging is controlled at Administration > Identity Management > External Identity Sources > AD > Advanced Settings. However, MAR (Machine Access Restriction) is something completely different and is not tied to your AD user. Please see the following link:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

I hope this helps!

Thank you for rating helpful posts!

 

0 Helpful
Customers Also Viewed These Support Documents