Re: ACS Machine Access Restriction Exemption

Mike Campbell · ‎02-24-2011

Without creating a specific AD group for exempting certain users from MAR, is it possible to bypass MAR if a user is logging on from a particular host ? I have been trying to create a policy that would do this, but with no success.

I've created a device group and placed the MAC address of my mobile phone in the group and created an authorization policy that matches the "Mobile Device Group" AND the AD group "Domain Users" which I'm a member of, but no matter what I do, it seems that the context of my logon always will match our existing rule that enforces MAR on all members of the Domain Users group.

Is placing my AD logon id into a specific AD group that I reference in my policy the ONLY way to bypass MAR ?

I would really like to not have to bypass MAR altogether for specific users, but allow users to bypass MAR when they are logging on from an authorized device, based on MAC address.

Tarik Admani · ‎03-02-2011

Mike,

I wanted to know what eap method is your wireless device using? If it is using something other than mschapv2 we should be able to create a policy based on the eap method and then set the "was machine authenticated" to false for the same AD group and then move this rule up above the one you currently have configured. Keep in mind the more "granular" the rule the higher it should be.

Hope this helps,

Tarik

Mike Campbell · ‎03-02-2011

PEAP / MSCHAPv2.

Problem is getting a policy that allows a local ACS device (MAC) to bypass MAR requirement. ACS doesn't seem to allow tying a local authentication to an external AD authentication.