A naïve question perhaps, but all the reading I have done on MAR (Machine Access Restriction) doesn't answer one fundamental question I have: Why would I need MAR, when my only network access is via EAP-TLS? In other words, any device that wants to get onto the Wireless LAN via 802.1X is only offered EAP-TLS by the AAA server because we have disabled EAP-PEAP as an "allowed protocol". If you come along with EAP-PEAP, then you simply won't get on the WLAN. So this begs the question why would I still need MAR?
In an ideal scenario I would imagine having X.509 certs on all my corp devices that are used during machine authentication (windows boot, or windows re-login). If the certs are valid (and so they should be, because IT put them there) then what is the point of MAR? My device is now on VLAN X, and the user can perform user authentication. Question: When user logs on, does this authentication go to AAA (EAP-PEAP - EAP-TLS), or does it go directly to the AD domain controller? If EAP-PEAP / EAP-TLS to the AAA then why should the AAA care with MAR, since those devices were machine authenticated with certificates during boot (EAP-TLS machine auth).
Sorry for the dumb questions - but I need to understand the use case since I want to design and build the most secure (but also simple) solution that works across Windows 8.1 - 10.
thanks for the reply. Not sure if I phrased my question correctly, but I was asking why anyone needs to use MAR in conjunction with a machine cert. In other words, if you have a valid machine cert then why bother caching anything in ISE.
Is MAR used only in cases where the machine auth is done using HOST\machine credentials?
I don't understand what makes MAR a requirement apart from "it's nice to have". What technical problem does it solve (i.e. imagine a world without MAR - what would that mean? I can't solve problem X ?)
I am hopeful that one day I will understand this.
I recently read the BRKSEC-2045 Presentation where the author states that Windows OS cannot mix the EAP methods when doing machine and user auth. Perhaps this has something to do with it?
It could potentially provide additional protection in case when someone exports the corporate certificate (if your cert template is set to allow export of the private key) or otherwise gets hold of the user cert. With MAR policies you could check if the machine from which the user is trying to authenticate has also authenticated recently, and avoid someone putting the cert on unauthorized IPad for example and getting access to the corporate network.