Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3514
Views
10
Helpful
4
Replies

MAR - why is it useful?

Arne Bier
VIP
VIP

‎11-08-2017 02:37 PM - edited ‎02-21-2020 10:38 AM

Hi

 

A naïve question perhaps, but all the reading I have done on MAR (Machine Access Restriction) doesn't answer one fundamental question I have: Why would I need MAR, when my only network access is via EAP-TLS?  In other words, any device that wants to get onto the Wireless LAN via 802.1X is only offered EAP-TLS by the AAA server because we have disabled EAP-PEAP as an "allowed protocol".  If you come along with EAP-PEAP, then you simply won't get on the WLAN.  So this begs the question why would I still need MAR? 

 

In an ideal scenario I would imagine having X.509 certs on all my corp devices that are used during machine authentication (windows boot, or windows re-login).  If the certs are valid (and so they should be, because IT put them there) then what is the point of MAR?  My device is now on VLAN X, and the user can perform user authentication.  Question:  When user logs on, does this authentication go to AAA (EAP-PEAP - EAP-TLS), or does it go directly to the AD domain controller?  If EAP-PEAP / EAP-TLS to the AAA then why should the AAA care with MAR, since those devices were machine authenticated with certificates during boot (EAP-TLS machine auth).

 

Sorry for the dumb questions - but I need to understand the use case since I want to design and build the most secure (but also simple) solution that works across Windows 8.1 - 10.

 

thanks

Labels:
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎11-08-2017 05:16 PM

Hi

Let me try to answer in a simple way.
What you achieve with MAR is quite the same as eap-chaining.

When you want to authenticate the machine and user and give specifics rights you'll user in a position an authz rule the attribute WasMachineAuthenticated.

MAR is important in that case because it will cache the machine authentication and this result will be reused with your user policy. This will allow you to give more rights to a user authenticating to the LAN with a corporate machine compared to one authenticating with its own machine.
In few words, this allows you to do a mailing between a user and a machine.
You can do the same with eap-chaining but it requires Cisco anyconnect because native supplicant on Windows machine don't support that feature.

Then if your machine and user authentication are treated separately, you'll push an acl when the machine authenticates and a new acl when the user logs in but you'll lose the information of which user authenticates with which machine on the network.

Hope my explanation is clear and matches your expectation

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Arne Bier
VIP
VIP
In response to Francesco Molino

‎11-16-2017 03:44 AM

Hi Francesco

 

thanks for the reply.  Not sure if I phrased my question correctly, but I was asking why anyone needs to use MAR in conjunction with a machine cert.  In other words, if you have a valid machine cert then why bother caching anything in ISE. 

Is MAR used only in cases where the machine auth is done using HOST\machine credentials? 

 

I don't understand what makes MAR a requirement apart from "it's nice to have".  What technical problem does it solve (i.e. imagine a world without MAR - what would that mean?  I can't solve problem X ?)

 

I am hopeful that one day I will understand this.

 

I recently read the BRKSEC-2045 Presentation where the author states that Windows OS cannot mix the EAP methods when doing machine and user auth.  Perhaps this has something to do with it?

 

regards

Arne

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Arne Bier

‎11-16-2017 04:46 AM

Hi

I understand your question and I was trying to show the benefits of MAR.

In few words, if you don't have MAR, you can correlate machine authentication with user authentication unless you'll use Anyconnect on all endpoints and do EAP-Chaining.

Then, in a world without MAR (and let's remove eap-chaining that needs anyconnect), you will authenticate the machine and separately authenticate the user. But both authentication won't be "merge"to do specific rights for a user authenticating with a corporate or with a non corporate device.

Is that more clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

agrissimanis
Beginner
Beginner

‎11-09-2017 03:17 AM - edited ‎11-09-2017 03:22 AM

It could potentially provide additional protection in case when someone exports the corporate certificate (if your cert template is set to allow export of the private key) or otherwise gets hold of the user cert. With MAR policies you could check if the machine from which the user is trying to authenticate has also authenticated recently, and avoid someone putting the cert on unauthorized IPad for example and getting access to the corporate network.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents