Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Tim Lewis

ISE - Machine + user authentication

I've searched forum, community but I couldn't find exactly what I need:

I have a client that want's to use two step authentication on wireless: first machine authentication to make sure that device is on the domain and then username/password authentication.

Now, I've read about MAR, EAP chaining, and I understood it all, only thing I didn't understand is:

If I configure ISE to authenticate machine, it will allow limited access to DC (for example).

Then, after that AuthZ profile is applied, what will do new authorization? My understanding is once MAR is done, AuthZ profileis applied and authorization is finished.

Now, I am not asking about turning on laptop, getting PC on the network, then logging in and then providing the user/credentials, etc. I am asking for this scenario:

How ISE policy and AuthZ profile should look like, for example, I come in the office, my wireless card is disabled, I login to my laptop, then I notice that my wireless card is disabled and now I enable it. I need to have Machine authentciation happening at that point + prompting user for username/password to complete registration on wireless.

NAM is already refused by client, so I need something that will work on plain Windows 7.



Dunno if I understand exactly what your asking.

MAR is based on MAC address.  So wired auth will be treated seperately to wireless auth. 

I don't know if you turn on wifi after login whether it will do both machine and user.  I know coming out of hiberation doesn't trigger machine auth on native supplicant.

If wired and wireless connections are active at the same time and auto metric is ticked, windows will route remote traffic out the fastest interface (eg 300meg wireless beats 100meg wired)

Regarding Policy

Machine auth - Authz give a sniff of the network for logon.

User auth with previous machine auth - give more access (suggest dACL better than vlan change)

Cisco Employee

Hello Align-

In your post you are referring to two completely separate and independent solutions:

1. MAR

2. EAP-Chaining

MAR only happens when the machine first boots up and the host presents its machine domain credentials. Then the machine MAC address is saved in ISE. The MAC is preserved in ISE as long as configured in the machine timer. Keep in mind that if let's say a computer was booted while connected on the wired network, only that MAC address will be authenticated. If the user moves to wireless, the connection will be denied as ISE will not have any records of the wireless MAC. Along with all of that, you will need another method (usually PEAP) to perform the user authentication. Usually this method is not a very good one to implement due to the issues listed

EAP-Chaining on the other hand utilizes EAP-FAST and it s a multi-phase method during which both machine and user information is passed in a secured TLS tunnel. For that you need to implement Cisco AnyConnect as it is the only software supplicant that supports it at the moment. For more info you might wanna look into Cisco's TrustSec guide:

I hope this helps!

Thank you for rating!

Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel