Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7478
Views
14
Helpful
11
Replies

ISE - Machine Authentication vs Machine Access Restrictions

DarylBrooks
Level 1
Level 1

‎08-22-2017 06:50 AM - edited ‎02-21-2020 10:32 AM

Hello all.

 

My organisation has recently implemented Cisco ISE and we have come up against an issue.


The issue relates to the Machine Access Restrictions option within Advanced Authentication Settings, whereby users must reboot their machines in order to gain access to the network when they switch from Wired to Wireless. From this Cisco article I can see that with MAR enabled there is no way around this issue.

 

My question is, what is the difference between Machine Authentication and MAR, is Machine Authentication (via certificate on client machine) still required even if MAR is turned off, or is MAR a requirement for client certificate authentication.

 

Apologies if this has been answered before, if it has please point me in the direction of any documentation.

 

Thanks,

Daryl

Labels:
0 Helpful
11 Replies 11

Rob Ingram
VIP
VIP

‎08-22-2017 09:00 AM

Hi Daryl,

 

MAR = machine authenticated and user authenticated. As in both must succeed in order to be permitted access. There are a number of cons to this, which the article you referenced describes. MAR is basically restricting an authenticated user to connect only if the machine was authenticated.

 

Machine Authentication on it's own, is independent from a user authentication. 1 does not necessarily have to succeed for the other to succeed. You can configure windows to only use computer authentication or only user authentication. Though you may want to do both in order to process machine and user AD group policies. If you do want to do both, then these will be seperate authentications.

 

No, MAR is not a requirement for client certificate authentication.

 

If you use AnyConnect NAM as the supplicant instead of the windows native supplicant you can do EAP Chaining which combines both machine and user authenticaton, but also resolves some of the issues around MAR.

 

HTH

DarylBrooks
Level 1
Level 1
In response to Rob Ingram

‎08-23-2017 02:07 AM

Thank you for your response, forgive me if I am asking a silly question, but is it possible to force BOTH user and machine authentication without using MAR?

In theory, it might be overkill as client machines with the certificate installed will only be accessible by domain users, but if this is possible it would be nice to have the extra layer of
network security on top of domain security.

Thanks,
Daryl
0 Helpful

Rob Ingram
VIP
VIP
In response to DarylBrooks

‎08-23-2017 05:59 AM

Hi Daryl,

Yes, I assume you will use windows group policies to push down the configuration to the computers? If so, then under Computer Configuration > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies - specify Authentication Mode as "User or computer authentication". This will therefore authenticate the user and computer.

HTH

ajc
Level 7
Level 7
In response to DarylBrooks

‎08-23-2017 12:40 PM

the following video applies to 1.4 or 2.x ISE version if you want machine and user authentication NO MAR.

 

https://www.youtube.com/watch?v=bjH99xKepLY

fatalXerror
Level 5
Level 5
In response to Rob Ingram

‎04-04-2019 09:58 AM

Hi @Rob Ingram,

Based on my understanding with your statement, if I configured my Windows supplicant into a computer-only authentication, I can transfer connection (wired to wireless) without rebooting the machine, am I correct?

Thanks

0 Helpful

Rob Ingram
VIP
VIP
In response to fatalXerror

‎04-04-2019 12:23 PM

Hi,
Correct. Rebooting of the computer would only be required if using MAR (computer and user authentication), as the computer authentication would be tied to the mac address of either the wired or wireless nic. So moving from wired to wireless or vice versa would cause an issue with MAR.

HTH
0 Helpful

fatalXerror
Level 5
Level 5
In response to Rob Ingram

‎04-05-2019 03:19 AM

Hi @Rob Ingram , 

Thanks for the clarification.

If I only use machine authentication, can I still see who is the user who logs into that authenticated machine if I dig down the RADIUS Live Logs?

Thanks

0 Helpful

Rob Ingram
VIP
VIP
In response to fatalXerror

‎04-05-2019 03:28 AM

No, if you are only performing machine authentication, only the machine account will be in the logs.
0 Helpful

fatalXerror
Level 5
Level 5
In response to Rob Ingram

‎04-06-2019 07:39 AM

Hi @Rob Ingram, just to clarify about the reboot matter.

 

Reboot or logging-off the machine will be no need if I am just using machine authentication setting my windows supplicant to "computer only" as its authentication method, am I correct?

 

Thanks

0 Helpful

fatalXerror
Level 5
Level 5
In response to Rob Ingram

‎04-06-2019 07:42 AM

@Rob Ingram 

 

just to clarify about the reboot matter.

 

Reboot or logging-off the machine will be no need if I am just using machine authentication setting my windows supplicant to "computer only" as its authentication method, am I correct?

 

Thanks

0 Helpful

Rob Ingram
VIP
VIP
In response to fatalXerror

‎04-06-2019 09:20 AM

Correct
0 Helpful
Customers Also Viewed These Support Documents