08-21-2012 08:12 AM - last edited on 03-25-2019 05:29 PM by ciscomoderator
I want to test out MAR. I notice there is a tick box on the ISE for MAR under: Identity Management --> External Identity Sources --> Active Directory --> Advanced Settings --> [tick] Enable Machine Access Restrictions
but also there is this condition that is to be used in the AuthZ Policy
Network Access:WasMachineAuthenticated
So...
What does the tick box option do?
Are they related or refer to different things?
Are both needed to get a MAR AuthZ to work?
Any of clarifying or beneficial info?
thanks
08-21-2012 08:30 AM
Hi,
Your are correct you will have to create an authorization condition that checks if the machine authenticated successfully.
So...
What does the tick box option do?
When you enable MAR globally it lets the ISE know to build a cache for endpoints that successfully perform machine authentication.
Are they related or refer to different things?
They work hand in hand.
Are both needed to get a MAR AuthZ to work?
Yes, you will have to create another authorization policy to allow domain computers to connect.
Any of clarifying or beneficial info?
When MAR is enabled, you will have to enable machine and user authentication to your laptop, after MAR succeeds ISE builds an entry in its database mapping the endpoint (mac address) to a successful machine authentication, after when a user authenticates not only do they have to provide the correct credentials but the mac address they are authenticating through will have an entry in the "MAR cache", keep in mind that some supplicants only perform machine authentication when logging on and off, and on boot up. If you want to use MAR i suggest using the Anyconnect NAM client, there is a new feature in ISE 1.1.1 and the latest client that allows you to perform eap chaining.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-21-2015 07:17 AM
Hi Tariq,
MAR is anebled in my configuration, Please informed that i just authenticate machine against domain membership and authenticate users with domain username and password.
Is domain membership for machines consider authentication and work with MAR?
BR
Sherif
11-10-2015 09:47 AM
Hi Tarik,
We are running with ISE 1.4.1 with PEAP (Machine + User ) Authentication with multi domain. This works as expected first domain auth then user auth but if we connects non domain laptop with 802.1x service enable still it’s getting access to network.
can you guide me how we can restrict this scenario?
Thanks in advance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide