12-24-2012 07:33 AM - edited 03-10-2019 07:54 PM
Hello everyone,
I am testing MAR(Machine Access Restriction) feature upon client request. I got it working, when user that joins ACS to Active Directory is member of Domain Admin group.
Now, when In follow ACS config guide and set user rights to "Add workstations to domain user right in corresponding domain"
MAR is not working.
In Radius log I see error:
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
Has anyone tried this, and what level of user rights is needed for MAR to work in your implementation ?
Thank you,
Djordje Zecevic
Solved! Go to Solution.
12-24-2012 03:22 PM
Hello Djordje-
MAR only occurs when the machine first boots up. During boot time the machine sends its credentials to ACS and ACS retains them based on the MAR timer that you have set. Try rebooting the machine and see if that error message goes away.
Thanks you for rating!
12-24-2012 03:22 PM
Hello Djordje-
MAR only occurs when the machine first boots up. During boot time the machine sends its credentials to ACS and ACS retains them based on the MAR timer that you have set. Try rebooting the machine and see if that error message goes away.
Thanks you for rating!
01-15-2013 07:19 AM
Hello Neno,
You pointed me in right direction. Results that I describe earlier are MAR cache induced. I have working config:
Where first rule is match when computer is booting up(alternatively I could match AD computer group). When computer is boot rules puts him on restricted vlan 131 from where user can be authenticated.
After user log on to computer, he is re-authenticated and assigned vlan 132 which is unrestricted.
Alternatively I could add default rule to put users in guest vlan.
Regards,
Djordje
01-15-2013 08:40 AM
Hello Djordje
-
I am glad I was able to point you in the right direction!
I don't know what your requirements are but if the rules that you described worked then great Also, you can combine both rules where MAR and domain user credentials are checked. If you end up doing this I would recommend that you set the MAR timer to at least 168 hours (one week) that way users don't have to reboot their computers through a working week.
If your quesion is resolved please mark the thread as "answered"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide