Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1533
Views
5
Helpful
6
Replies

Cisco ISE MAR Cache

JAMES WEST
Level 1
Level 1

‎08-10-2017 04:55 AM - edited ‎03-11-2019 12:55 AM

Hello All.

I am looking at deploying 802.1x being authenticated against ISE, and l have the following 2 questions:

  1. Can ISE authenticate both Wired & Wireless windows machine, without using AnyConnect? Or is it a case that ISE autenticates the Wired Machine Auth, and if the user then moves onto their Wireless adaptor, this will not be in the MAR cache, so the machine is not authenticated and wireless does not work.
  2. How do you determine what Machines/Devices are in the MAR cache?

Thanks,

James

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎08-10-2017 11:00 AM

Hi James,

Yes, ISE can authenticate windows machine, when connected to a wired or wireless network. Specify this in the Windows AD GPO when using native windows supplicant.

I've not used MAR, but you are correct. A wired and wireless machine authentication are classed as 2 seperate authentications (different adapter mac addresses), thus causing an issue when you want to chain machine + user authentications. Only EAP Chaining which requires AnyConnec, this can properly combine machine + user authentications and not break when the laptop moves from being connected to a wifi network then connected to a wired network.

HTH

0 Helpful

JAMES WEST
Level 1
Level 1
In response to Rob Ingram

‎08-11-2017 01:04 AM

Hi Rob,

Thanks for your response and clarifying what l thought may be the case. 

Thanks,

James

0 Helpful

JAMES WEST
Level 1
Level 1
In response to JAMES WEST

‎08-11-2017 01:29 AM

Following on from Rob's help above, if we wanted to implement the following would this allow wired & wireless authentication:

I believe the "username" for machines when using PEAP is something like this "host/FQDN..." Thus, you could probably use a rule that states if the RADIUS username "contains" either your domain or a pattern used by machines on your domain.

However, the easiest way to distinguish between domain joined and non-domain joined is the have ISE check with AD. Thus, your rule can have something like this:

1. If "external group" = "domain computers"

2. If "identity access restricted" = "false"

3. Then "full access"

This will ensure that the computer that is trying to authenticate and authorize on the network is actually joined to the domain. One thing you will need to make sure that your AD is locked down because I think by default any domain users can join up to 10 workstations to the domain.

0 Helpful

Rob Ingram
VIP
VIP
In response to JAMES WEST

‎08-11-2017 07:09 AM

The AD Probe will also be able to determine whether a machine is joined to AD.

JAMES WEST
Level 1
Level 1
In response to Rob Ingram

‎08-15-2017 09:28 AM

In addition to Rob's comments. 

Does anyone one know how to find what machines have been added to the MAR Cache? If so, can you let me know.

Thanks,

James

0 Helpful

JAMES WEST
Level 1
Level 1
In response to JAMES WEST

‎08-16-2017 01:08 PM

Just to let you know, we raised a TAC case to investigate this, as we were troubleshooting Win10 logins. The TAC engineer confirmed there is no way to see what devices are in the MAR Cache, which is a bit of a shame.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents