
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2017 02:37 PM
So, a security question pop'd up today and I'm not sure.
We are looking to use ISE to take over 802.1x. Right now we only authenticate machine, but they want to send DACL's based on user groups, so MAR is a way to also make sure the PC was on the domain.
Now, if someone had someone credentials, could they spoof the MAC of a domain computer and log in a non domain system if the original system is in the MAR database?
Now I know I could do EAP chaining with anyconnect, but they are trying to keep the licensing to just the base, and without having to install on every PC.
So, what is stored in the MAR database and checked with the wasmachineauthenticated? Is it just the MAC, or is there other stuff that it would catch a spoofed MAC?
Thanks,
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2017 10:14 AM
I don't think this is a valid concern.
MAR is machine authentication. Its not MAB (mac auth bypass that uses the mac address for authentication). There are machine credentials used, stored and changed every 30 days. its not simply using the MAC address of an endpoint. Also it requires dot1x to secure the communication between the machine supplicant and the NAD
Understanding Machine Access Restriction (MAR) Cache Entry Behavior in ISE and ACS - Cisco
Machine Access Restriction Pros and Cons - Cisco
ISE 2.2 has anomalous detection (MAC spoofing) protections
Release Notes for Cisco Identity Services Engine, Release 2.2 - Cisco

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2017 10:14 AM
I don't think this is a valid concern.
MAR is machine authentication. Its not MAB (mac auth bypass that uses the mac address for authentication). There are machine credentials used, stored and changed every 30 days. its not simply using the MAC address of an endpoint. Also it requires dot1x to secure the communication between the machine supplicant and the NAD
Understanding Machine Access Restriction (MAR) Cache Entry Behavior in ISE and ACS - Cisco
Machine Access Restriction Pros and Cons - Cisco
ISE 2.2 has anomalous detection (MAC spoofing) protections
Release Notes for Cisco Identity Services Engine, Release 2.2 - Cisco
