Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Nicholas Poole

Cisco ISE Machine Access Restrictions MAR

I want to test out MAR.  I notice there is a tick box on the ISE for MAR under: Identity Management --> External Identity Sources --> Active Directory --> Advanced Settings --> [tick] Enable Machine Access Restrictions

but also there is this condition that is to be used in the AuthZ Policy

Network Access:WasMachineAuthenticated           


What does the tick box option do?

Are they related or refer to different things?

Are both needed to get a MAR AuthZ to work?

Any of clarifying or beneficial info?


Tarik Admani


Your are correct you will have to create an authorization condition that checks if the machine authenticated successfully.


What does the tick box option do?

When you enable MAR globally it lets the ISE know to build a cache  for endpoints that successfully perform machine authentication.

Are they related or refer to different things?

They work hand in hand.

Are both needed to get a MAR AuthZ to work?

Yes, you will have to create another authorization policy to allow domain computers to connect.

Any of clarifying or beneficial info?

When MAR is enabled, you will have to enable machine and user authentication to your laptop, after MAR succeeds ISE builds an entry in its database mapping the endpoint (mac address) to a successful machine authentication, after when a user authenticates not only do they have to provide the correct credentials but the mac address they are authenticating through will have an entry in the "MAR cache", keep in mind that some supplicants only perform machine authentication when logging on and off, and on boot up. If you want to use MAR i suggest using the Anyconnect NAM client, there is a new feature in ISE 1.1.1 and the latest client that allows you to perform eap chaining.


Tarik Admani
*Please rate helpful posts*

Hi Tariq,

MAR is anebled in my configuration, Please informed that i just authenticate machine against domain membership and authenticate users with domain username and password.

Is domain membership for machines consider authentication and work with MAR? 





Hi Tarik,


We are running with ISE 1.4.1 with PEAP (Machine + User ) Authentication with multi domain. This works as expected first domain auth then user auth but if we connects non domain laptop with 802.1x service enable still it’s getting access to network.


can you guide me how we can restrict this scenario?


Thanks in advance 

Content for Community-Ad