ACS 5.4 MAR concerns

Mitchell Theriot · ‎08-23-2016

We are looking at adding windows machine authentication to our wireless policy and to do so with ACS it appears you need to use MAR. From what I have found the window machine authentication is only done once when a user logs into the machine. My question is what if a user logs into the machine and then tries to connect to the wireless network? We can make it ask for the users credentials or the windows credential to authenticate the user but will the machine authentication work being that they were already logged onto the machine? Is MAR only good for when a machine connects to the wireless and process authentication when the user logs on for the first time?

Gagandeep Singh · ‎08-28-2016

Hi Mitchell,

MAR was invented because user and machine authentications are totally separate. Therefore, the RADIUS server cannot enforce a verification where users must log in from company-owned devices. With MAR, the RADIUS server (ACS or ISE, on the Cisco-side) enforces, for a given user authentication, that there must be a valid machine authentication in the X hours (typically 8 hours, but this is configurable) that precedes the user authentication for the same endpoint.

Therefore, a machine authentication succeeds if the machine credentials are known by the RADIUS server, typically if the machine is joined to the domain, and the RADIUS server verifies this with a connection to the domain.

For reference :

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

Regards

Gagan

Gagandeep Singh · ‎09-02-2016

Hi Mitchell,

Let me know if you still have any further concerns.

Regards

Gagan

PS: Please rate as correct if it helps!!!!