11-03-2021 04:29 AM
ISE 3.0
What’s happens to connected client if MAR cache entry is purged on ISE and they get a radius session timeout / reauth request while connected?
Our MAR cache setting is 18hours, if someone is logged in for 19hours, will they get disconnected and will the machine re-authenticate?
Solved! Go to Solution.
11-03-2021 02:56 PM
If a reauth happens and the user is logged in, the native supplicant will not reauth the machine session if you're using EAP methods like EAP-TLS or PEAP. This is one of the many issues inherent in MAR and why using MAR should be avoided unless absolutely necessary. I've had many customers that used MAR only to quickly get rid of it due to increased calls to the helpdesk.
See Machine Access Restriction Pros and Cons for other issues that MAR can cause.
The only efficient way of tying a computer and user session together using the Windows native supplicant is by using TEAP.
11-03-2021 02:56 PM
If a reauth happens and the user is logged in, the native supplicant will not reauth the machine session if you're using EAP methods like EAP-TLS or PEAP. This is one of the many issues inherent in MAR and why using MAR should be avoided unless absolutely necessary. I've had many customers that used MAR only to quickly get rid of it due to increased calls to the helpdesk.
See Machine Access Restriction Pros and Cons for other issues that MAR can cause.
The only efficient way of tying a computer and user session together using the Windows native supplicant is by using TEAP.
12-20-2022 02:31 AM
Hi Greg,
we are going to migrate our 2.4 deployment to a new 3.1 one. Unfortunately we have to rely on mar and mar cache distribution. I remember that in 2.4 there was an issue about mar cache distribution not actually enabled in spite of the configuration saved by GUI. It seems that the issue is present in iSE 3.1 as well. We have 4 PSN and two PSN Groups , let's say group A and group B, both with mar cache distribution enabled. We performed some tests and everything seems to work in group A but not in group B. I tried to delete and recreate group B and assign back the node with not fortune. The most frustating thing with mar is the lack of documentation for trouble shooting and the lack of cache inspection. During 2.4 deployment setup I was able to find the right debug log to enable but I can't remember whchi was. Could you please give me some hint to trouble shot mar cache distribution issues working on ise logs?
Regards
M
12-20-2022 05:13 AM
Why do you need MAR at all? Personally I think an upgrade from 2.4 to 3.1 would be a perfect time to migrate off of MAR.
12-20-2022 05:18 AM
Unfortunately we can't.
We do not use anyconnect as supplicant and windows native supplicant seems not to support T-EAP on active directory joined machine....
Regards
M
12-20-2022 05:30 AM
TEAP certainly works on domain joined machines.
12-20-2022 05:54 AM
Thanks,
I'll ask again the guys in charge of GPOs administration since they showed me that TEAP is not listed between EAP methods one can configure by GPO, nor looking directly to a joined PC 802.1x configuration tab on NIC properties. I read some thing about exporting an xml profile from a not joined PC on witch TEAP has been configured and the import in the tool they use to build GPO but I am afraid there would be some issue with microsoft support.
Regards
M
12-20-2022 01:18 PM
It is not a matter of support my Microsoft, it's more a matter that MS has not updated the GPO model in quite some time so TEAP is not an option directly in the GPO. TEAP is supported by the Windows native supplicant from Windows build 2004 and options for configuring the supplicant (including using XML or the RSAT tool) are discussed here:
https://community.cisco.com/t5/security-knowledge-base/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289
12-21-2022 12:22 AM
Thanks Greb this is the post I read.
I'd like to introduce TEAP but using MSCHAPv2 as "inner" method do you thing is possible?
Since this new method will impact more than 10k client and I have to convince the staff in charge of GPO management to add the new policy I estimate not less than 6 months during which we have to keep on leveraging on MAR.
Do you have some tips to DEBUG mar cache issues?
Regards
M
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide