Cisco ISE and MAR

Ditter · ‎05-22-2021

Hi to all,

just wanted to clarify the following:

In ISE AD configuration advanced settings there are two radio buttons that can me either checked or unchecked.

These have to do with machine authentication as well as mar.

My question is the following:

Why are these two options in the advanced settings of the AD menu? If i recall correctly it is up to ISE admin if he/she allows machine authentication and mar through authorization rules.

Please see attached png.

Thanks

Ditter.

lrojaslo · ‎05-24-2021

Hi,

ISE is unable to validate computer objects and has to be validated against AD, this is why the option exists in AD settings.

The idea of MAR is for ISE to cache the machine auth for X period of time before it requires to be authenticated again against AD.

Ditter · ‎05-25-2021

Thanks, i understand.

If i recall correctly this was not an option in older ISE versions.

That was the reason that if a domain user should have access to the network through a domain computer , then the ISE admin himself/herself should create an AND rule that defined both the domain user as well as the domain computer. In this way the user was authorized to the network as long as he/she was part of domain users AND the pc was part of domain Computers.

In later ISE implementations this advanced setting in the AD properties is there in order for the admin not to have to enter this extra authorization rule?

That is what i am asking.

Thanks Ditter.

lrojaslo · ‎05-25-2021

I cannot recap when it was introduced, but I can say this is still the same on the later ISE versions, I don't think this is going to change for upcoming versions.