Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6534
Views
5
Helpful
4
Replies

ISE machine authentication timeout

astergiou
Level 1
Level 1

‎10-22-2013 10:21 AM - edited ‎03-10-2019 09:01 PM

Hi all,

We have a ISE infrastructure and we have enabled user and machine authentication through EAP-TLS.
Everything is working fine except that every 1 hour user must log off and login again because machine authentication has, I think, expired!
As you can imagine this is unacceptable. I saw that the machine restriction age is only 1 hour and changed it to 8 hours.
My question is if machine restarts at 7 hours past first successful authentication will the timer reset or after an hour will be kicked and have to log off and in again?
How have you bypassed the timeout of mar cache?

My ISE version is 1.2 with 2 patches installed

Thank you

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
4 Replies 4

Muhammad Munir
Level 5
Level 5

‎10-23-2013 01:53 AM

Hi

Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.

Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.

When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:

• If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.

• If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

aqjaved
Level 3
Level 3

‎10-23-2013 05:53 AM

The timer will be reset with every session when user login in to ISE.

Please Check the below guide which may be help for you:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1053958

0 Helpful

astergiou
Level 1
Level 1
In response to aqjaved

‎10-25-2013 03:12 AM

Thank you all for your answers 

Aqeel Javed wrote:
The timer will be reset with every session when user login in to ISE. 
Please Check the below guide which may be help for you:
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1053958

Because I can't find it anywhere documented can you tell me if you have tried yourself or found it somewhere?

0 Helpful
Customers Also Viewed These Support Documents