Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2057
Views
21
Helpful
8
Replies

MAR cache entry is purged on ISE

Go to solution
Anthony O'Reilly
Level 3
Level 3

‎11-03-2021 04:29 AM

ISE 3.0 

 

What’s happens to connected client if MAR cache entry is purged on ISE and they get a radius session timeout / reauth request while connected?

 

Our MAR cache setting is 18hours, if someone is logged in for 19hours, will they get disconnected and will the machine re-authenticate?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎11-03-2021 02:56 PM

If a reauth happens and the user is logged in, the native supplicant will not reauth the machine session if you're using EAP methods like EAP-TLS or PEAP. This is one of the many issues inherent in MAR and why using MAR should be avoided unless absolutely necessary. I've had many customers that used MAR only to quickly get rid of it due to increased calls to the helpdesk.

See Machine Access Restriction Pros and Cons for other issues that MAR can cause.

The only efficient way of tying a computer and user session together using the Windows native supplicant is by using TEAP.

View solution in original post

8 Replies 8

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎11-03-2021 02:56 PM

If a reauth happens and the user is logged in, the native supplicant will not reauth the machine session if you're using EAP methods like EAP-TLS or PEAP. This is one of the many issues inherent in MAR and why using MAR should be avoided unless absolutely necessary. I've had many customers that used MAR only to quickly get rid of it due to increased calls to the helpdesk.

See Machine Access Restriction Pros and Cons for other issues that MAR can cause.

The only efficient way of tying a computer and user session together using the Windows native supplicant is by using TEAP.

Go to solution
marco.merlo
Level 1
Level 1
In response to Greg Gibbs

‎12-20-2022 02:31 AM

Hi Greg,

we are going to migrate our 2.4 deployment to a new 3.1 one. Unfortunately we have to rely on mar and mar cache distribution. I remember that in 2.4 there was an issue about mar cache distribution not actually enabled in spite of the configuration saved by GUI. It seems that the issue is present in iSE 3.1 as well. We have 4 PSN  and two PSN Groups , let's say group A and group B, both with mar cache distribution enabled. We performed some tests and everything seems to work in group A but not in group B. I tried to delete and recreate group B and assign back the node with not fortune. The most frustating thing with mar is the lack of documentation for trouble shooting and the lack of cache inspection. During 2.4 deployment setup I was able to find the right debug log to enable but I can't remember whchi was. Could you please give me some hint to trouble shot mar cache distribution issues working on ise logs?
Regards
M

Go to solution
ahollifield
VIP
VIP
In response to marco.merlo

‎12-20-2022 05:13 AM

Why do you need MAR at all?  Personally I think an upgrade from 2.4 to 3.1 would be a perfect time to migrate off of MAR.

0 Helpful

Go to solution
marco.merlo
Level 1
Level 1
In response to ahollifield

‎12-20-2022 05:18 AM

Unfortunately we can't.

We do not use anyconnect as supplicant and windows native supplicant seems not to support T-EAP on active directory joined machine.... 

Regards

M

 

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to marco.merlo

‎12-20-2022 05:30 AM

TEAP certainly works on domain joined machines.  

Go to solution
marco.merlo
Level 1
Level 1
In response to ahollifield

‎12-20-2022 05:54 AM

Thanks,

I'll ask again  the guys in charge of GPOs administration since they showed me that TEAP is not listed between EAP methods one can configure by GPO, nor looking directly to a joined PC 802.1x configuration tab on NIC properties. I read some thing about exporting an xml profile from a not joined PC on witch TEAP has been configured and the import in the tool they use to build GPO but I am afraid there would be some issue with microsoft support.

Regards

M   

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to marco.merlo

‎12-20-2022 01:18 PM

It is not a matter of support my Microsoft, it's more a matter that MS has not updated the GPO model in quite some time so TEAP is not an option directly in the GPO. TEAP is supported by the Windows native supplicant from Windows build 2004 and options for configuring the supplicant (including using XML or the RSAT tool) are discussed here:
https://community.cisco.com/t5/security-knowledge-base/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

 

Go to solution
marco.merlo
Level 1
Level 1
In response to Greg Gibbs

‎12-21-2022 12:22 AM

Thanks Greb this is the post I read. 

I'd like to introduce TEAP but using MSCHAPv2 as "inner" method do you thing is possible?

Since this new method will impact  more than 10k client and I have to convince the staff in charge of GPO management to add the new policy I estimate not less than 6 months during which we have to keep on leveraging on MAR.

Do you have some tips to DEBUG mar cache issues?

Regards

M

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents