cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9186
Views
14
Helpful
11
Replies

ISE - Machine Authentication vs Machine Access Restrictions

DarylBrooks
Level 1
Level 1

Hello all.

 

My organisation has recently implemented Cisco ISE and we have come up against an issue.


The issue relates to the Machine Access Restrictions option within Advanced Authentication Settings, whereby users must reboot their machines in order to gain access to the network when they switch from Wired to Wireless. From this Cisco article I can see that with MAR enabled there is no way around this issue.

 

My question is, what is the difference between Machine Authentication and MAR, is Machine Authentication (via certificate on client machine) still required even if MAR is turned off, or is MAR a requirement for client certificate authentication.

 

Apologies if this has been answered before, if it has please point me in the direction of any documentation.

 

Thanks,

Daryl

11 Replies 11

Hi Daryl,

 

MAR = machine authenticated and user authenticated. As in both must succeed in order to be permitted access. There are a number of cons to this, which the article you referenced describes. MAR is basically restricting an authenticated user to connect only if the machine was authenticated.

 

Machine Authentication on it's own, is independent from a user authentication. 1 does not necessarily have to succeed for the other to succeed. You can configure windows to only use computer authentication or only user authentication. Though you may want to do both in order to process machine and user AD group policies. If you do want to do both, then these will be seperate authentications.

 

No, MAR is not a requirement for client certificate authentication.

 

If you use AnyConnect NAM as the supplicant instead of the windows native supplicant you can do EAP Chaining which combines both machine and user authenticaton, but also resolves some of the issues around MAR.

 

HTH

Thank you for your response, forgive me if I am asking a silly question, but is it possible to force BOTH user and machine authentication without using MAR?

In theory, it might be overkill as client machines with the certificate installed will only be accessible by domain users, but if this is possible it would be nice to have the extra layer of
network security on top of domain security.

Thanks,
Daryl

Hi Daryl,

Yes, I assume you will use windows group policies to push down the configuration to the computers? If so, then under Computer Configuration > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies - specify Authentication Mode as "User or computer authentication". This will therefore authenticate the user and computer.

HTH

the following video applies to 1.4 or 2.x ISE version if you want machine and user authentication NO MAR.

 

https://www.youtube.com/watch?v=bjH99xKepLY

Hi @Rob Ingram,

Based on my understanding with your statement, if I configured my Windows supplicant into a computer-only authentication, I can transfer connection (wired to wireless) without rebooting the machine, am I correct?

Thanks

Hi,
Correct. Rebooting of the computer would only be required if using MAR (computer and user authentication), as the computer authentication would be tied to the mac address of either the wired or wireless nic. So moving from wired to wireless or vice versa would cause an issue with MAR.

HTH

Hi @Rob Ingram , 

Thanks for the clarification.

If I only use machine authentication, can I still see who is the user who logs into that authenticated machine if I dig down the RADIUS Live Logs?

Thanks

No, if you are only performing machine authentication, only the machine account will be in the logs.

Hi @Rob Ingram, just to clarify about the reboot matter.

 

Reboot or logging-off the machine will be no need if I am just using machine authentication setting my windows supplicant to "computer only" as its authentication method, am I correct?

 

Thanks

@Rob Ingram 

 

just to clarify about the reboot matter.

 

Reboot or logging-off the machine will be no need if I am just using machine authentication setting my windows supplicant to "computer only" as its authentication method, am I correct?

 

Thanks

Correct