05-14-2014 05:02 AM - edited 03-10-2019 09:43 PM
Does anybody know what's going to happen if one changes the MAR cache timeout/aging setting found under Identity Management > External Identity Sources > Active Directory > Advanced Settings? Are the current cache entries going to get cleared or are they going to stay? Is there a way to actually see these entries somewhere (per PSN), and can one selectively delete them?
Depending on the answer to these questions, I have to make the aging timeout change during a maintenance window on the customer's infrastructure. Using ISE 1.2, patch 6.
Oh, and another question: Are there any drawbacks (e.g. cache size or security issues, other constraints) that would suggest to not increase the default aging timeout to a value of a full week or even more?
Thanks
Toni
05-14-2014 05:32 AM
Hi Toni,
Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the “Time to Live” parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
HTH
Sandy
05-14-2014 05:42 AM
Thanks for your reply, Sandy; unfortunately, it doesn't answer any of my questions.
05-14-2014 05:51 AM
Hi ,
If i understand your request , your questionnaire is about MAR cache time out during your maintenance window right ?? or You look for some other things
MAR cache timeout/aging setting found under
HTH
Sandy
05-14-2014 05:59 AM
05-14-2014 07:45 AM
Hi
CacheTracker |
See under Downloading Debug Logs
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_mnt.html
HTH
Sandy
05-14-2014 08:06 AM
Thanks for your input, Sandy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide