Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1326
Views
0
Helpful
3
Replies

ACS 5.x MAR Feature problem

Go to solution
Djordje Zecevic
Level 1
Level 1

‎12-24-2012 07:33 AM - edited ‎03-10-2019 07:54 PM

Hello everyone,

I am testing MAR(Machine Access Restriction) feature upon client request. I got it working, when user that joins ACS to Active Directory is member of Domain Admin group.

Now, when In follow ACS config guide and set user rights to  "Add workstations to domain user right in corresponding domain"

MAR is not working.

In Radius log I see error:

24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory

Has anyone tried this, and what level of user rights is needed for MAR to work in your implementation ?

Thank you,

Djordje Zecevic

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-24-2012 03:22 PM

Hello Djordje-

MAR only occurs when the machine first boots up. During boot time the machine sends its credentials to ACS and ACS retains them based on the MAR timer that you have set. Try rebooting the machine and see if that error message goes away.

Thanks you for rating!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-24-2012 03:22 PM

Hello Djordje-

MAR only occurs when the machine first boots up. During boot time the machine sends its credentials to ACS and ACS retains them based on the MAR timer that you have set. Try rebooting the machine and see if that error message goes away.

Thanks you for rating!

0 Helpful

Go to solution
Djordje Zecevic
Level 1
Level 1
In response to nspasov

‎01-15-2013 07:19 AM

Hello Neno,

You pointed me in right direction. Results that I describe earlier are MAR cache induced. I have working config:

Where first rule is match when computer is booting up(alternatively I could match AD computer group). When computer is boot rules puts him on restricted vlan 131 from where user can be authenticated.

After user log on to computer, he is re-authenticated and assigned vlan 132 which is unrestricted.

Alternatively I could add default rule to put users in guest vlan.

Regards,

Djordje

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Djordje Zecevic

‎01-15-2013 08:40 AM

Hello Djordje

-

I am glad I was able to point you in the right direction!

I don't know what your requirements are but if the rules that you described worked then great Also, you can combine both rules where MAR and domain user credentials are checked. If you end up doing this I would recommend that you set the MAR timer to at least 168 hours (one week) that way users don't have to reboot their computers through a working week.

If your quesion is resolved please mark the thread as "answered"

0 Helpful
Customers Also Viewed These Support Documents