02-24-2011 08:14 AM - edited 03-10-2019 05:51 PM
Without creating a specific AD group for exempting certain users from MAR, is it possible to bypass MAR if a user is logging on from a particular host ? I have been trying to create a policy that would do this, but with no success.
I've created a device group and placed the MAC address of my mobile phone in the group and created an authorization policy that matches the "Mobile Device Group" AND the AD group "Domain Users" which I'm a member of, but no matter what I do, it seems that the context of my logon always will match our existing rule that enforces MAR on all members of the Domain Users group.
Is placing my AD logon id into a specific AD group that I reference in my policy the ONLY way to bypass MAR ?
I would really like to not have to bypass MAR altogether for specific users, but allow users to bypass MAR when they are logging on from an authorized device, based on MAC address.
03-02-2011 12:48 AM
Mike,
I wanted to know what eap method is your wireless device using? If it is using something other than mschapv2 we should be able to create a policy based on the eap method and then set the "was machine authenticated" to false for the same AD group and then move this rule up above the one you currently have configured. Keep in mind the more "granular" the rule the higher it should be.
Hope this helps,
Tarik
03-02-2011 09:36 AM
PEAP / MSCHAPv2.
Problem is getting a policy that allows a local ACS device (MAC) to bypass MAR requirement. ACS doesn't seem to allow tying a local authentication to an external AD authentication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide