cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

308
Views
0
Helpful
2
Replies
Highlighted
Beginner

EAP-Chaining - Machine PAC to client - is it rechecked against AD?

When ISE received the Machine-PAC, does it check with AD that this workstation is still authorized on the network?

 

I got this question today:

When EAP-FAST with EAP-Chaining is used, ISE sends a Machine-PAC following a successfully machine AuthC. 

Let's say the user walks away from his computer, without having log in.  The computer is still at the GINA screen. 

Meanwhile, AD admin revokes this workstation - removes it from AD/COMPUTERS.

When the user gets back to GINA and perform his User AuthC, the workstation will also provide ISE with the Machine-PAC (This is the purpose of EAP-Chaining).  Will ISE check with AD one more time to see if this is part of the domain?

 

(I know that you can set in ISE the maximum number of hours that the cookie will be good for.  But the question is:  if the cookie is still valid, but the machine was removed in AD, will ISE check with AD to see if a machine that was issued a cookie a few hours ago, is still okay to join our network.  I think the answer is no: I think that because on how a MAR cache work if you are using, let's say PEAP with Machine+User Authentication.  Once the Machine is authenticated, that fact is stored into the MAR cache until it expires: upon doing User AuthC, ISE doesn't not also perform another Machine-AuthC... it would defeat the purpose of the MAR cache).

 

Any thought would be appreciated.... If I have time, I will saddle a pod and test this.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

EAP Chaining does not use the MAR cache. These are mutually exclusive functions, so the terminology should not be used interchangeably.

For your EAP Chaining scenario where the Computer Auth has completed successfully, but Computer account is disabled/deleted prior to the User logging it, I have confirmed that ISE does perform another Authentication check (of both the Computer and User credentials) against AD when the User logs in. For this example, I was using eapFast(eapMschapv2) for the EAP method.

After disabling the Computer account in AD and logging in as a valid User, the EAP Chaining result is "User succeeded and machine failed" and I see the following log in the Step Data:

Machine authentication against Active Directory has failed because the machine's account is disabled

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

EAP Chaining does not use the MAR cache. These are mutually exclusive functions, so the terminology should not be used interchangeably.

For your EAP Chaining scenario where the Computer Auth has completed successfully, but Computer account is disabled/deleted prior to the User logging it, I have confirmed that ISE does perform another Authentication check (of both the Computer and User credentials) against AD when the User logs in. For this example, I was using eapFast(eapMschapv2) for the EAP method.

After disabling the Computer account in AD and logging in as a valid User, the EAP Chaining result is "User succeeded and machine failed" and I see the following log in the Step Data:

Machine authentication against Active Directory has failed because the machine's account is disabled

View solution in original post

Highlighted

Greg, thank you for your quick answer.  This is exactly the confirmation I was looking for.  (and I know that MAR and EAP-Chaining are mutually exclusive... EAP-Chaining is an alternative to MAR).

Thanks. again