We use MAR.

Rule Screenshot :

AD Settings :

Allow Protocol :

I've been workign with ISE for a month now and still trying to understand alot of it so thank you all for your help!

OK, thank you for the screenshots. So the machine authentication related to MAR only happens when:

1. The machine first boots up

2. The user logs off and logs back in to the computer

ISE then stores the machine's MAC address  information until the "Aging Time" expires. In your situation that is 8760 hours. Once that timer expires the user will have to either reboot the machine or log off/log back in. In addition, MAR comes with a couple of caveats:

1. The MAR information/state is not replicated between ISE nodes. Thus, if you are load balancing the sessions and/or you have a failover all of the previously MAR authenticated machines would have to either be rebooted or logged off/logged back on. 

2. Since the method uses the MAC address of the machine the authentication process would have to be repeated if authenticating MAC address changes. For instance, a user comes comes to the office, boots the computer and authenticates on the wireless and everything works as expected. However, the user then goes to his/hers desk and connects to a wired port. At that point the machine will need to perform wired authentication, thus, it will be using the MAC address from its wired LAN adapter. That MAC address won't be in ISE's database and the machine will be marked as "not previously authenticated." At this point another restart/logg off/on will be required. The same will apply if the user for some reason uses a docking station. The docking station will have it's own MAC address that will be different than the one from the machine which won't be in the database of ISE. 

Overall, MAR is not be most elegant solution. There are some good alternatives out there. You can take a look at the following document:

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

Hope this helps.

Thank you for rating!

Hi,

While using MAR to make sure that corporate users are actually using a domain computer to connect to the network was a discussion topic in several implementations, it was quickly scrapped due to the numerous issues:

- Sleeping computers may not perform machine authentication first

- Users with laptops going from wired to wireless wouldn't perform machine authentication first -> failed user auth

I suggest you try EAP-Chaining with the Anyconnect supplicant.

Simon, were we able to solve your issue? If not let us know if you need more clarifications. Otherwise, please mark the thread as closed/answered :)

I am still working on this I can't figure out how some PC just won't authenticate (No trace in ISE) I'm waiting on an internal signing request for ISE to see if that would help

Hmm, that is interesting. You should be seeing hits in ISE weather they were for successful or unsuccessful authentications. Did you make sure that all of your NADs (Switches, WLCs) are added to ISE. Also, under Administration > Settings > Protocols > Radius, check and see if you have Suppression enabled. This will prevent ISE from showing up logs for "miss-behaving" clients. You can temporary disable it and troubleshoot the issue. 

Is this normal ?

show radius summary

Where are you pulling this information from? I mean what type of device?

Also, is this for wired or wireless?

This is for wireless and it is from our WLC

From the WLC issue:

debug client client_mac_address

Then try to authenticate with the affected machine and post the output back here.

Sorry... i've been so busy with other stuff and since we just desactivated the machine auth it wasn`t a priority.

you can find debug on pastebin :http://pastebin.com/UCL6p5CU

Your debug logs are showing that the client is getting an "access-reject" which is sent by the radius server. As a result, the WLC removes/deletes the client. Thus, there must be logs in ISE about this client. Can you please double check? If there are no logs paste screen shots of the following:

Administration > System > Settings > Protocols > Radius