Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
4
Helpful
4
Replies

Can ISE Profiler make me able to get rid of MAR?

marco.merlo
Level 1
Level 1

‎02-10-2015 01:39 AM - edited ‎03-10-2019 10:26 PM

Hi to all,

My company has deployed 802.1x using ACS as aaa server. Since our ACS deployment is based on ASC 5.3 we have to upgrade it because of lack of AD2012 support.  Of course I am evaluating to introduce ISE to handle 802.1x/Radius aaa and keep ACS for tacacs+ aaa.

Unfortunately our security policies force us to use MAR. Now ACS 5.4 and ACS 5.6 respectively introduced a couple of features that are very useful in order to mitigate some of the well known MAR drawbacks; I am talking about distributed mar cache and the capability to save on disk mar cache in case of on ordinate run time process restart.

As far as I know ISE 1.3 has not these two features so treats MAR cache as ACS 5.3 does.

I am wondering whether leveraging on ISE profiler I can get rid of MAR at all.

It is possible to build a device profile dynamically as a consequence of a successful machine authentication?

Suppose a domain Joined PC performs a successful machine authentication via peap mschap-v2, is it possible to instruct ISE to get its mac address and put it on a custome device profile called, e.g., "CorporatePCs" so that one can use the profile to build an  auth policy for a user authentication from the very same mac address?
Regards
MM

 

 

Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎02-10-2015 11:16 AM

Hi Marco-

I do agree with you that you should remove and avoid using MAR due to its many limitations :)

Now let me ask you this: What exactly are you trying to accomplish and what does MAR provide to your environment today? Based on your answer we should be able to give you some suggestions.

 

Thank you for rating helpful posts!

0 Helpful

marco.merlo
Level 1
Level 1
In response to nspasov

‎02-11-2015 12:07 AM

Hi Neno thank for the reply,

Actually I was asked to allow user authentication only from corporate assets being corporate assets PCs joined to our directory. We do have a corporate PKI but I was told that certificates would not be deployed to all users and many of our PC are shared among different users. Of course I was told not to permit network access to users defined locally on a PC and , worst of all, I would have to leverage on windows native supplicant.

With all this constraints I was forced  to choose peap mscha-v2 with MAR enforcement. We all know MAR limitations both from security (MAC address are easily spoofable) and management perspective . Now ACS 5.4 and 5.6 have, at least, solved many of management side limitations giving the people in charge of ACS management the freedom to reload it without  applying weird  procedures aimed to mitigate MAR cache deletion effects.  Since I need to upgrade our ACS 5.3 deployment I'd like to introduce ISE but if I can not get rid of MAR I 'll have to choose ACS 5.6

Regards

MM

0 Helpful

shumphr2
Cisco Employee
Cisco Employee
In response to marco.merlo

‎02-11-2015 02:08 AM

Hi Marco,

 

Profiling in ISE could be used to identify corporate assets if you push a custom DHCP ClassID attribute via GPO.

See this technet article for MS config details:

https://technet.microsoft.com/en-us/library/dd183656%28v=ws.10%29.aspx

 

Your authorization policy can then reference both native supplicant user auth combined with a custom profiler result that references the DHCP ClassID that you have configured on your hosts.

A more robust method would be to use EAP-FAST with EAP Chaining. This is available with the Anyconnect client however, not the native MS supplicant. It would allow both machine and user auth with EAP-MSCHAPv2 as the inner method (so no machine certs required).

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

 

Regards

Simon

marco.merlo
Level 1
Level 1
In response to shumphr2

‎02-11-2015 08:25 AM

Hi Simon,

thank for the reply.

Unfortunately we can not afford massive deployment of a third  part supplicant so I have to wait for Microsoft to support EAP-TEAP.

Your hint on dhcp class id is good, anyway I hope Cisco will improve MAR implementation in ISE or make the profiler able to work  not only via network/dhcp probing. Actually  I can't see why MAR cache or something equivalent  can not be inserted into profiler database.  Indeed the time gap between machine authentication and  user login is always in the range of seconds (tenth of seconds sometimes).

Regards

Marco

 

0 Helpful
Customers Also Viewed These Support Documents