03-31-2020 02:33 PM
When ISE received the Machine-PAC, does it check with AD that this workstation is still authorized on the network?
I got this question today:
When EAP-FAST with EAP-Chaining is used, ISE sends a Machine-PAC following a successfully machine AuthC.
Let's say the user walks away from his computer, without having log in. The computer is still at the GINA screen.
Meanwhile, AD admin revokes this workstation - removes it from AD/COMPUTERS.
When the user gets back to GINA and perform his User AuthC, the workstation will also provide ISE with the Machine-PAC (This is the purpose of EAP-Chaining). Will ISE check with AD one more time to see if this is part of the domain?
(I know that you can set in ISE the maximum number of hours that the cookie will be good for. But the question is: if the cookie is still valid, but the machine was removed in AD, will ISE check with AD to see if a machine that was issued a cookie a few hours ago, is still okay to join our network. I think the answer is no: I think that because on how a MAR cache work if you are using, let's say PEAP with Machine+User Authentication. Once the Machine is authenticated, that fact is stored into the MAR cache until it expires: upon doing User AuthC, ISE doesn't not also perform another Machine-AuthC... it would defeat the purpose of the MAR cache).
Any thought would be appreciated.... If I have time, I will saddle a pod and test this.
Thanks.
Solved! Go to Solution.
03-31-2020 04:09 PM
EAP Chaining does not use the MAR cache. These are mutually exclusive functions, so the terminology should not be used interchangeably.
For your EAP Chaining scenario where the Computer Auth has completed successfully, but Computer account is disabled/deleted prior to the User logging it, I have confirmed that ISE does perform another Authentication check (of both the Computer and User credentials) against AD when the User logs in. For this example, I was using eapFast(eapMschapv2) for the EAP method.
After disabling the Computer account in AD and logging in as a valid User, the EAP Chaining result is "User succeeded and machine failed" and I see the following log in the Step Data:
Machine authentication against Active Directory has failed because the machine's account is disabled
03-31-2020 04:09 PM
EAP Chaining does not use the MAR cache. These are mutually exclusive functions, so the terminology should not be used interchangeably.
For your EAP Chaining scenario where the Computer Auth has completed successfully, but Computer account is disabled/deleted prior to the User logging it, I have confirmed that ISE does perform another Authentication check (of both the Computer and User credentials) against AD when the User logs in. For this example, I was using eapFast(eapMschapv2) for the EAP method.
After disabling the Computer account in AD and logging in as a valid User, the EAP Chaining result is "User succeeded and machine failed" and I see the following log in the Step Data:
Machine authentication against Active Directory has failed because the machine's account is disabled
04-01-2020 06:44 AM
Greg, thank you for your quick answer. This is exactly the confirmation I was looking for. (and I know that MAR and EAP-Chaining are mutually exclusive... EAP-Chaining is an alternative to MAR).
Thanks. again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide