Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1328
Views
6
Helpful
1
Replies

MAR and what is checked?

Go to solution
Dustin Anderson
Rising star
Rising star

‎03-16-2017 02:37 PM

So, a security question pop'd up today and I'm not sure.

We are looking to use ISE to take over 802.1x. Right now we only authenticate machine, but they want to send DACL's based on user groups, so MAR is a way to also make sure the PC was on the domain.

Now, if someone had someone credentials, could they spoof the MAC of a domain computer and log in a non domain system if the original system is in the MAR database?

Now I know I could do EAP chaining with anyconnect, but they are trying to keep the licensing to just the base, and without having to install on every PC.

So, what is stored in the MAR database and checked with the wasmachineauthenticated? Is it just the MAC, or is there other stuff that it would catch a spoofed MAC?

Thanks,

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-17-2017 10:14 AM

I don't think this is a valid concern.

MAR is machine authentication. Its not MAB (mac auth bypass that uses the mac address for authentication). There are machine credentials used, stored and changed every 30 days. its not simply using the MAC address of an endpoint. Also it requires dot1x to secure the communication between the machine supplicant and the NAD

Understanding Machine Access Restriction (MAR) Cache Entry Behavior in ISE and ACS - Cisco

Machine Access Restriction Pros and Cons - Cisco

ISE 2.2 has anomalous detection (MAC spoofing) protections

Release Notes for Cisco Identity Services Engine, Release 2.2 - Cisco

View solution in original post

1 Reply 1

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-17-2017 10:14 AM

I don't think this is a valid concern.

MAR is machine authentication. Its not MAB (mac auth bypass that uses the mac address for authentication). There are machine credentials used, stored and changed every 30 days. its not simply using the MAC address of an endpoint. Also it requires dot1x to secure the communication between the machine supplicant and the NAD

Understanding Machine Access Restriction (MAR) Cache Entry Behavior in ISE and ACS - Cisco

Machine Access Restriction Pros and Cons - Cisco

ISE 2.2 has anomalous detection (MAC spoofing) protections

Release Notes for Cisco Identity Services Engine, Release 2.2 - Cisco

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents