cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1067
Views
10
Helpful
1
Replies

ISE 2.4.0.357 Patch 13 Machine Authentication

0rsnaric
Level 1
Level 1

We currently use ISE for 802.1x supplicant authentication and MAB authentication. We are looking at adding Active Directory Machine Authentication.

 

Under Administration > External Identity Sources > Active Directory > Advanced Settings there is a check box "Enable Machine Authentication".

 

Is there any immediate impact on the environment when checking this box and clicking save? Specifically, will it impact 802.1x supplicant's use of the specified external source?

 

Thanks!

 

 

1 Reply 1

@0rsnaric That option enables MAR (Machine Access Restriction), which combines the User and Machine authentications.

It has it's problems:-

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

The alternative option is to use EAP-FAST which requires AnyConnect or EAP-TEAP.

 

However if you just wish to enable basic Machine authentication, you don't need to enabled MAR. Create the appropriate AuthC and AuthZ rules, match on ExternalGroup equals <Domain Computers>.