cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4785
Views
13
Helpful
11
Replies
Beginner

ISE - Machine Authentication vs Machine Access Restrictions

Hello all.

 

My organisation has recently implemented Cisco ISE and we have come up against an issue.


The issue relates to the Machine Access Restrictions option within Advanced Authentication Settings, whereby users must reboot their machines in order to gain access to the network when they switch from Wired to Wireless. From this Cisco article I can see that with MAR enabled there is no way around this issue.

 

My question is, what is the difference between Machine Authentication and MAR, is Machine Authentication (via certificate on client machine) still required even if MAR is turned off, or is MAR a requirement for client certificate authentication.

 

Apologies if this has been answered before, if it has please point me in the direction of any documentation.

 

Thanks,

Daryl

11 REPLIES 11
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: ISE - Machine Authentication vs Machine Access Restrictions

Hi Daryl,

 

MAR = machine authenticated and user authenticated. As in both must succeed in order to be permitted access. There are a number of cons to this, which the article you referenced describes. MAR is basically restricting an authenticated user to connect only if the machine was authenticated.

 

Machine Authentication on it's own, is independent from a user authentication. 1 does not necessarily have to succeed for the other to succeed. You can configure windows to only use computer authentication or only user authentication. Though you may want to do both in order to process machine and user AD group policies. If you do want to do both, then these will be seperate authentications.

 

No, MAR is not a requirement for client certificate authentication.

 

If you use AnyConnect NAM as the supplicant instead of the windows native supplicant you can do EAP Chaining which combines both machine and user authenticaton, but also resolves some of the issues around MAR.

 

HTH

Everyone's tags (1)
Highlighted
Beginner

Re: ISE - Machine Authentication vs Machine Access Restrictions

Thank you for your response, forgive me if I am asking a silly question, but is it possible to force BOTH user and machine authentication without using MAR?

In theory, it might be overkill as client machines with the certificate installed will only be accessible by domain users, but if this is possible it would be nice to have the extra layer of
network security on top of domain security.

Thanks,
Daryl
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: ISE - Machine Authentication vs Machine Access Restrictions

Hi Daryl,

Yes, I assume you will use windows group policies to push down the configuration to the computers? If so, then under Computer Configuration > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies - specify Authentication Mode as "User or computer authentication". This will therefore authenticate the user and computer.

HTH

ajc Frequent Contributor
Frequent Contributor

Re: ISE - Machine Authentication vs Machine Access Restrictions

the following video applies to 1.4 or 2.x ISE version if you want machine and user authentication NO MAR.

 

https://www.youtube.com/watch?v=bjH99xKepLY

Explorer

Re: ISE - Machine Authentication vs Machine Access Restrictions

Hi @RJI,

Based on my understanding with your statement, if I configured my Windows supplicant into a computer-only authentication, I can transfer connection (wired to wireless) without rebooting the machine, am I correct?

Thanks

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: ISE - Machine Authentication vs Machine Access Restrictions

Hi,
Correct. Rebooting of the computer would only be required if using MAR (computer and user authentication), as the computer authentication would be tied to the mac address of either the wired or wireless nic. So moving from wired to wireless or vice versa would cause an issue with MAR.

HTH
Explorer

Re: ISE - Machine Authentication vs Machine Access Restrictions

Hi @RJI , 

Thanks for the clarification.

If I only use machine authentication, can I still see who is the user who logs into that authenticated machine if I dig down the RADIUS Live Logs?

Thanks

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: ISE - Machine Authentication vs Machine Access Restrictions

No, if you are only performing machine authentication, only the machine account will be in the logs.
Explorer

Re: ISE - Machine Authentication vs Machine Access Restrictions

Hi @RJI, just to clarify about the reboot matter.

 

Reboot or logging-off the machine will be no need if I am just using machine authentication setting my windows supplicant to "computer only" as its authentication method, am I correct?

 

Thanks

Explorer

Re: ISE - Machine Authentication vs Machine Access Restrictions

@RJI 

 

just to clarify about the reboot matter.

 

Reboot or logging-off the machine will be no need if I am just using machine authentication setting my windows supplicant to "computer only" as its authentication method, am I correct?

 

Thanks

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: ISE - Machine Authentication vs Machine Access Restrictions

Correct