Solved: MAR and what is checked?

Dustin Anderson · ‎03-16-2017

So, a security question pop'd up today and I'm not sure.

We are looking to use ISE to take over 802.1x. Right now we only authenticate machine, but they want to send DACL's based on user groups, so MAR is a way to also make sure the PC was on the domain.

Now, if someone had someone credentials, could they spoof the MAC of a domain computer and log in a non domain system if the original system is in the MAR database?

Now I know I could do EAP chaining with anyconnect, but they are trying to keep the licensing to just the base, and without having to install on every PC.

So, what is stored in the MAR database and checked with the wasmachineauthenticated? Is it just the MAC, or is there other stuff that it would catch a spoofed MAC?

Thanks,

Jason Kunst · ‎03-17-2017

I don't think this is a valid concern.

MAR is machine authentication. Its not MAB (mac auth bypass that uses the mac address for authentication). There are machine credentials used, stored and changed every 30 days. its not simply using the MAC address of an endpoint. Also it requires dot1x to secure the communication between the machine supplicant and the NAD

Understanding Machine Access Restriction (MAR) Cache Entry Behavior in ISE and ACS - Cisco

Machine Access Restriction Pros and Cons - Cisco

ISE 2.2 has anomalous detection (MAC spoofing) protections

Release Notes for Cisco Identity Services Engine, Release 2.2 - Cisco

View solution in original post

Jason Kunst · ‎03-17-2017