08-22-2017 06:50 AM - edited 02-21-2020 10:32 AM
Hello all.
My organisation has recently implemented Cisco ISE and we have come up against an issue.
The issue relates to the Machine Access Restrictions option within Advanced Authentication Settings, whereby users must reboot their machines in order to gain access to the network when they switch from Wired to Wireless. From this Cisco article I can see that with MAR enabled there is no way around this issue.
My question is, what is the difference between Machine Authentication and MAR, is Machine Authentication (via certificate on client machine) still required even if MAR is turned off, or is MAR a requirement for client certificate authentication.
Apologies if this has been answered before, if it has please point me in the direction of any documentation.
Thanks,
Daryl
08-22-2017 09:00 AM
Hi Daryl,
MAR = machine authenticated and user authenticated. As in both must succeed in order to be permitted access. There are a number of cons to this, which the article you referenced describes. MAR is basically restricting an authenticated user to connect only if the machine was authenticated.
Machine Authentication on it's own, is independent from a user authentication. 1 does not necessarily have to succeed for the other to succeed. You can configure windows to only use computer authentication or only user authentication. Though you may want to do both in order to process machine and user AD group policies. If you do want to do both, then these will be seperate authentications.
No, MAR is not a requirement for client certificate authentication.
If you use AnyConnect NAM as the supplicant instead of the windows native supplicant you can do EAP Chaining which combines both machine and user authenticaton, but also resolves some of the issues around MAR.
HTH
08-23-2017 02:07 AM
08-23-2017 05:59 AM
Hi Daryl,
Yes, I assume you will use windows group policies to push down the configuration to the computers? If so, then under Computer Configuration > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies - specify Authentication Mode as "User or computer authentication". This will therefore authenticate the user and computer.
HTH
08-23-2017 12:40 PM
the following video applies to 1.4 or 2.x ISE version if you want machine and user authentication NO MAR.
04-04-2019 09:58 AM
Hi @Rob Ingram,
Based on my understanding with your statement, if I configured my Windows supplicant into a computer-only authentication, I can transfer connection (wired to wireless) without rebooting the machine, am I correct?
Thanks
04-04-2019 12:23 PM
04-05-2019 03:19 AM
Hi @Rob Ingram ,
Thanks for the clarification.
If I only use machine authentication, can I still see who is the user who logs into that authenticated machine if I dig down the RADIUS Live Logs?
Thanks
04-05-2019 03:28 AM
04-06-2019 07:39 AM
Hi @Rob Ingram, just to clarify about the reboot matter.
Reboot or logging-off the machine will be no need if I am just using machine authentication setting my windows supplicant to "computer only" as its authentication method, am I correct?
Thanks
04-06-2019 07:42 AM
just to clarify about the reboot matter.
Reboot or logging-off the machine will be no need if I am just using machine authentication setting my windows supplicant to "computer only" as its authentication method, am I correct?
Thanks
04-06-2019 09:20 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide